Edit tour

Windows Analysis Report
HIRE SOA FOR DEC_2021.exe

Overview

General Information

Sample Name:	HIRE SOA FOR DEC_2021.exe
Analysis ID:	562107
MD5:	d8af2363d5a46336733b6121c0b4cf0e
SHA1:	fcb0ee44436230d924b2550fc9935ee76f2498fe
SHA256:	2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses ipconfig to lookup or modify the Windows network settings

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

HIRE SOA FOR DEC_2021.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: D8AF2363D5A46336733B6121C0B4CF0E)

HIRE SOA FOR DEC_2021.exe (PID: 4744 cmdline: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: D8AF2363D5A46336733B6121C0B4CF0E)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 5252 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 5744 cmdline: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.littlesportsacademy.com/cxep/"], "decoy": ["estateglobal.info", "loransstore.com", "loginofy.com", "fjallravenz.online", "cefseguranca-app.com", "safontadiestramiento.com", "bubbleteapro.com", "morethanmummies.com", "serviciopersonalizadoweb.com", "headerbidder.info", "skworkforce.com", "heightsorthodontics.com", "chulavistapd.com", "southjerseyautobody.net", "chargedbygratitude.com", "meltingpotspot.com", "gdjiachen.com", "luckdrawprogram.com", "vintagepaseo.com", "bequestslojyh.xyz", "layeredrofbes.xyz", "com-weekly.email", "suddisaddu.com", "jnlord.com", "outerverse.ventures", "terraroyale.com", "hairclub.info", "rent2owninusa.com", "pmaonline.xyz", "wearecampo.com", "multiplezonesplit.com", "angry-mandala.com", "ikigaiofficial.store", "princewoodwork.store", "moviesaver24.com", "btec-solutions.com", "valurgrayenterprises.com", "homesofsilverspur.com", "leysy-y-nazareno.com", "grade8.tech", "ammarus.com", "researchjournal.net", "nicolaslacasse.com", "khukhuantainha.com", "resultlv.com", "toraportal.com", "wickedhunterworld.com", "clickspromolp.com", "b148tlrnd09ustnnaku2721.com", "high-low-ga.info", "norcalfirewoodllc.com", "fatima2021.com", "aaronsmathquest.com", "decal-mania.com", "spitfiredefenceindustries.com", "mireyita.com", "simonhaidomous.com", "roofingcontractorhickory.com", "mgav69.xyz", "spacebymeghan.com", "hot144.com", "mmfirewood.net", "akshayaasri.com", "bilgisayarimnekadar.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.littlesportsacademy.com/cxep/"], "decoy": ["estateglobal.info", "loransstore.com", "loginofy.com", "fjallravenz.online", "cefseguranca-app.com", "safontadiestramiento.com", "bubbleteapro.com", "morethanmummies.com", "serviciopersonalizadoweb.com", "headerbidder.info", "skworkforce.com", "heightsorthodontics.com", "chulavistapd.com", "southjerseyautobody.net", "chargedbygratitude.com", "meltingpotspot.com", "gdjiachen.com", "luckdrawprogram.com", "vintagepaseo.com", "bequestslojyh.xyz", "layeredrofbes.xyz", "com-weekly.email", "suddisaddu.com", "jnlord.com", "outerverse.ventures", "terraroyale.com", "hairclub.info", "rent2owninusa.com", "pmaonline.xyz", "wearecampo.com", "multiplezonesplit.com", "angry-mandala.com", "ikigaiofficial.store", "princewoodwork.store", "moviesaver24.com", "btec-solutions.com", "valurgrayenterprises.com", "homesofsilverspur.com", "leysy-y-nazareno.com", "grade8.tech", "ammarus.com", "researchjournal.net", "nicolaslacasse.com", "khukhuantainha.com", "resultlv.com", "toraportal.com", "wickedhunterworld.com", "clickspromolp.com", "b148tlrnd09ustnnaku2721.com", "high-low-ga.info", "norcalfirewoodllc.com", "fatima2021.com", "aaronsmathquest.com", "decal-mania.com", "spitfiredefenceindustries.com", "mireyita.com", "simonhaidomous.com", "roofingcontractorhickory.com", "mgav69.xyz", "spacebymeghan.com", "hot144.com", "mmfirewood.net", "akshayaasri.com", "bilgisayarimnekadar.com"]}

Multi AV Scanner detection for submitted file

Source: HIRE SOA FOR DEC_2021.exe	Virustotal: Detection: 41%			Perma Link
Source: HIRE SOA FOR DEC_2021.exe	ReversingLabs: Detection: 37%

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: phishing
Source: http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: www.littlesportsacademy.com/cxep/	Avira URL Cloud: Label: malware
Source: http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: HIRE SOA FOR DEC_2021.exe

Joe Sandbox ML: detected

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.ipconfig.exe.325796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.ipconfig.exe.28f11e8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: ipconfig.pdb source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.662712540.000000001AE50000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000001.00000003.664381253.000000001ACC0000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HIRE SOA FOR DEC_2021.exe, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00402630 FindFirstFileA,

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.estateglobal.info
Source: C:\Windows\explorer.exe	Network Connect: 212.1.210.76 80
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.86.185 80
Source: C:\Windows\explorer.exe	Domain query: www.com-weekly.email
Source: C:\Windows\explorer.exe	Domain query: www.mmfirewood.net
Source: C:\Windows\explorer.exe	Network Connect: 52.6.230.169 80
Source: C:\Windows\explorer.exe	Domain query: www.akshayaasri.com
Source: C:\Windows\explorer.exe	Domain query: www.fjallravenz.online
Source: C:\Windows\explorer.exe	Domain query: www.morethanmummies.com
Source: C:\Windows\explorer.exe	Domain query: www.simonhaidomous.com
Source: C:\Windows\explorer.exe	Network Connect: 154.212.212.21 80
Source: C:\Windows\explorer.exe	Domain query: www.spacebymeghan.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.littlesportsacademy.com/cxep/

Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE

Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.fjallravenz.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.mmfirewood.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.simonhaidomous.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.spacebymeghan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.akshayaasri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Fri, 28 Jan 2022 12:43:52 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 28 Jan 2022 12:43:58 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72

Source: HIRE SOA FOR DEC_2021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: HIRE SOA FOR DEC_2021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown

DNS traffic detected: queries for: www.fjallravenz.online

Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.fjallravenz.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.mmfirewood.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.simonhaidomous.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.spacebymeghan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.akshayaasri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_0040604C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00404772
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70A17
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B8D6
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041D2C0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041CC12
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00408C90
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402D87
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041BE25
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B090
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C128EC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C120A8
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01002
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1E824
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4F900
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C122AE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFA2B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7EBB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0DBD2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C003DA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12B28
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AB40
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0D466
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5841F
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C125DD
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B40D20
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11D55
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12D07
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12EF7
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B66E30
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0D616
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1DFCE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E122AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E003DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E128EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E120A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1E824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E01002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D66E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E125DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D40D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B8D6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265BE25
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265CC12
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02648C90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642D87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642D90

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02D4B150 appears 72 times
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: String function: 00B4B150 appears 48 times

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004185F0 NtCreateFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004186A0 NtReadFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00418720 NtClose,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004187D0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041869A NtReadFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041871A NtClose,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004187CA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B898F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B899A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B895D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B896E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B897A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B898A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89820 NtEnumerateKey,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8B040 NtSuspendThread,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B899D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89950 NtQueueApcThread,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A10 NtQuerySection,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89B00 NtSetValueKey,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B895F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89560 NtWriteFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B896D0 NtCreateKey,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89650 NtQueryValueKey,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89770 NtSetInformationFile,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A770 NtOpenThread,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89760 NtOpenProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D899A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D896D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D895D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A10 NtQuerySection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A20 NtResumeThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D898F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D898A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D899D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D897A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A770 NtOpenThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89760 NtOpenProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D895F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89560 NtWriteFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_026586A0 NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02658720 NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_026585F0 NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265869A NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265871A NtClose,

Source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.667915341.000000001ADD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.663941940.000000001AF6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728301001.0000000002617000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728211881.0000000000DCF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe

Source: HIRE SOA FOR DEC_2021.exe	Virustotal: Detection: 41%
Source: HIRE SOA FOR DEC_2021.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File read: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Jump to behavior

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File created: C:\Users\user\AppData\Local\Temp\nslEC77.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@11/6

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: ipconfig.pdb source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.662712540.000000001AE50000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000001.00000003.664381253.000000001ACC0000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HIRE SOA FOR DEC_2021.exe, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B048 push eax; iretd
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B832 push eax; ret
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B83B push eax; ret
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B89C push eax; ret
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00415B24 push ecx; ret
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00415E10 push ebx; retf
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B7E5 push eax; ret
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B9D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D9D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02655B24 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B048 push eax; iretd
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B832 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B83B push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B89C push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02655E10 push ebx; retf
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B7E5 push eax; ret

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File created: C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002648614 second address: 000000000264861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000026489AE second address: 00000000026489B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 7116	Thread sleep time: -35000s >= -30000s
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4228	Thread sleep time: -36000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API coverage: 8.5 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 7.5 %

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000005.00000000.679147166.000000000A60E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.708371216.0000000006650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.679147166.000000000A60E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.673990651.0000000004710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.688116349.0000000004791000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 00000005.00000000.679317249.000000000A716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.679551971.000000000A784000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC706C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70744 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70706 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B890AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B458EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C02073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C14015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C14015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B60050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B60050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BD41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B84A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B84A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B63A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B58A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BD4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B51B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B51B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C15BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B73B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B73B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C014FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B735A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BF8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C105AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C105AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BCA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B67D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B83D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BF3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B716E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B576E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B736CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B88EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B78E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B58794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B837F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B44F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B44F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DD4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D63A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D58A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D84A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D84A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E15BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D51B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D51B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D73B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D73B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D458EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D890AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D60050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D60050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E02073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E14015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E14015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DD41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D736CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D88EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D716E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D576E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D78E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E01608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D837F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D58794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1070D mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_00409B50 LdrLoadDll,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.estateglobal.info
Source: C:\Windows\explorer.exe	Network Connect: 212.1.210.76 80
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.86.185 80
Source: C:\Windows\explorer.exe	Domain query: www.com-weekly.email
Source: C:\Windows\explorer.exe	Domain query: www.mmfirewood.net
Source: C:\Windows\explorer.exe	Network Connect: 52.6.230.169 80
Source: C:\Windows\explorer.exe	Domain query: www.akshayaasri.com
Source: C:\Windows\explorer.exe	Domain query: www.fjallravenz.online
Source: C:\Windows\explorer.exe	Domain query: www.morethanmummies.com
Source: C:\Windows\explorer.exe	Domain query: www.simonhaidomous.com
Source: C:\Windows\explorer.exe	Network Connect: 154.212.212.21 80
Source: C:\Windows\explorer.exe	Domain query: www.spacebymeghan.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 280000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: unknown protection: read write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Memory written: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"

Source: explorer.exe, 00000005.00000000.686978439.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.704670462.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.672786767.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.675851677.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.712331473.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.698134921.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.679317249.000000000A716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	Path Interception	612 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	612 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HIRE SOA FOR DEC_2021.exe	42%	Virustotal		Browse
HIRE SOA FOR DEC_2021.exe	37%	ReversingLabs	Win32.Spyware.Noon
HIRE SOA FOR DEC_2021.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.ipconfig.exe.325796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.ipconfig.exe.28f11e8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
mmfirewood.net	1%	Virustotal		Browse
www.fjallravenz.online	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	phishing
http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
www.littlesportsacademy.com/cxep/	100%	Avira URL Cloud	malware
http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.mmfirewood.net/cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mmfirewood.net	160.153.136.3	true	true	1%, Virustotal, Browse	unknown
spacebymeghan.com	15.197.142.173	true	true		unknown
www.fjallravenz.online	104.21.86.185	true	true	4%, Virustotal, Browse	unknown
akshayaasri.com	212.1.210.76	true	true		unknown
www.morethanmummies.com	154.212.212.21	true	true		unknown
ghs.googlehosted.com	142.250.203.115	true	true		unknown
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	52.6.230.169	true	false		high
toraportal.com	34.102.136.180	true	true		unknown
www.skworkforce.com	unknown	unknown	true		unknown
www.akshayaasri.com	unknown	unknown	true		unknown
www.estateglobal.info	unknown	unknown	true		unknown
www.cefseguranca-app.com	unknown	unknown	true		unknown
www.toraportal.com	unknown	unknown	true		unknown
www.com-weekly.email	unknown	unknown	true		unknown
www.simonhaidomous.com	unknown	unknown	true		unknown
www.mmfirewood.net	unknown	unknown	true		unknown
www.spacebymeghan.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: phishing	unknown
http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
www.littlesportsacademy.com/cxep/	true	Avira URL Cloud: malware	low
http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.mmfirewood.net/cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	HIRE SOA FOR DEC_2021.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	HIRE SOA FOR DEC_2021.exe	false	high
http://www.litespeedtech.com/error-page	ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	false	high
https://www.cloudflare.com/5xx-error-landing	ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.1.210.76	akshayaasri.com	United States	47583	AS-HOSTINGERLT	true
160.153.136.3	mmfirewood.net	United States	21501	GODADDY-AMSDE	true
15.197.142.173	spacebymeghan.com	United States	7430	TANDEMUS	true
104.21.86.185	www.fjallravenz.online	United States	13335	CLOUDFLARENETUS	true
154.212.212.21	www.morethanmummies.com	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true
52.6.230.169	cdl-lb-1356093980.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562107
Start date:	28.01.2022
Start time:	13:41:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	HIRE SOA FOR DEC_2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@11/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.8% (good quality ratio 57.8%) Quality average: 73.9% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.222
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, fp.msedge.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	215195
Entropy (8bit):	7.993371558145753
Encrypted:	true
SSDEEP:	6144:S4MsPfqHCpD/3QqPvIGcgvpd97JJs0p2Vwd8:vMk7/rRd97J+O2Vwe
MD5:	19A6D15C584C7CED29C4BE7B6E5C8310
SHA1:	CBE7A6A76AA53EB978275231E80552B9C7150D6D
SHA-256:	26D815E0D2F66777DD1ED59FAC4FDA402951E67B530183EF7F16E0A87E440607
SHA-512:	93AD0BAF26DC907821CC3DF6EAB9B0293213EFB9A9C8646DCBA80C2AEBB06A70D0A4E175FB907A8CAE38707E96FC6552805B33F8766124C74595896E85813912
Malicious:	false
Reputation:	low
Preview:	....t.f.U.O....z~k.aO....&..D......R........42e]\4.....R.`....H..6...lT.:v.%.+..59v...\|p0=..;.e...H..\|c.j..g.2Z-.....G.O..K.....T@...c.83..h.....`U......*:.2f.$t.)....R.b.~4.@....nAo...E..E:.0v .......(....Q..\Y#.Q.J..\3..)&...F..<BJ..k...V.J\3..r%.t.f....[.%.~..C.. .....D.D....R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qvg...@..\#=nfq..[.#.E..0v ....~:t...;Q..\Y#.Q8@..e3...@......DBJ.%.k..).V.J\...r%.t.f.....[.%.~Q.c.. .....D......R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qb.~4.@....nfy..[.5.E:.0v ....~:t....Q..\Y#.Q8@..e3...@......DBJ.%.k..).V.J\...r%.t.f.....[.%.~Q.c.. .....D......R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qb.~4.@....nfy..[.5.E:.0v ....~:t....Q..\Y#.Q8@..e3.

C:\Users\user\AppData\Local\Temp\nslEC78.tmp

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	268283
Entropy (8bit):	7.6429002734152185
Encrypted:	false
SSDEEP:	6144:dH4MsPfqHCpD/3QqPvIGcgvpd97JJs0p2VwdZDw:iMk7/rRd97J+O2Vwr
MD5:	5D94CFA0DD7D4CC68EDEB9CAB7E1EF7E
SHA1:	2AF4AC4BA60F62E268A019082FEE442641BEF1DD
SHA-256:	AE66CE11CF30DA19A8A9319CFE9176DF4C09CF08BDD956F024398C53E7EE1F41
SHA-512:	652C233D5C41B072416141C5D5EFB110C32ACAC2BC253FA637CAF4A5942E23BC4A366A80A5A88723CE28437E816A0A9CDFE0C9708A73C79A417916B0617515B2
Malicious:	false
Reputation:	low
Preview:	.j......,........................O.......i......xj..............................................................:...........................................................................................................................................................................J...................j...........................................................................................................................................P...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	5.746712337711455
Encrypted:	false
SSDEEP:	384:b6PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhboqTb:bG1albrXY0HwinMdZeUhbo+b
MD5:	0BCCDBF53DEF482E16174CD6488E0CED
SHA1:	B33612410ABDBC5644292052C943EF5CC21F73A2
SHA-256:	DA9CDFE0680A235BC1EF297EAA6CF5723F34B95A043700E8ACE1BD8C24CE974C
SHA-512:	68B4D0FE21B58486FC07B53F57B75FE509E858FAFDD79B300DFB93E521CB2400693A3F18AE8AD941BFDDCA88FA6941ABF0B83D373CA7DA8C530254D8E9905846
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L....*.a...........!.....@...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yyyvokmb

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	6.198337761833235
Encrypted:	false
SSDEEP:	96:+YWprIk5aM/Xh/s+Gt2Dw1xTv7VVOrHdr3vPWAmpvJytv9uAVpVk/aXEDT6hlI87:dWpMKz/Rsh2Dw1xvVa9rfpmvytVZVs7w
MD5:	E66B15AA06214E6D88ECF31208BF636B
SHA1:	4ECD3FBCD14C48BBEE63D8B73DE26CE2C5C4FC42
SHA-256:	CB56D5562DFC52D2A9C672B2000E434D9B4BA5B63E679FC76018C86D4328E68A
SHA-512:	555BDA57EA973BA918337D61EE159FC64B7528708309A4A8130C90ECA9A92D418FDFBD1AB7F7927DAF8BFB2A56AE14318DA351A63D1B85D7DF1A1017EC5D04B7
Malicious:	false
Reputation:	low
Preview:	#VE~~'.".">)(...~M..Mi.^M..Mi.&.v~..r.~~~.J~}.B}.N..v.&o~~~..V.'R}.B}.N..v.&&~~~....'.}.B}.N..v.&.~~~....'.}.B}.N..v.&.~~~....'...NZ.4.F..YY.B...^.':..N.&Z....&.."..&..r.Z....N.u+..&Y'r.Z...r.(.J.:...&~~~~.Z.W..r}.V.}..}.;.}.;.}.^.}.&..H.N...Bu....J.. {..}.V;...FMW...Y.r&~~~~...Z.~~~.Z.?...J.........7.B~'."..M..Mi.v..F.~1.B....F.~..N.j..'v...Z..r..F.~>..F.{..v.'r.7.B~.ht..&.\|~~&.\|~~.j~..}].&.\|~~&.\|~~.F~.?..&\|~~&.\|~~.F~'.".".M..Mi.&..vN~~~..V..r..v~.h..r.~~..r>..r..v...v!:&jW~~.....F..F..~..?V.?R..&..F.[~..?V.?R.\|.F..~..WV...}].&.{~~.&.o}}..J!M..&.}.F&.}}}..J..J~.X..~!E...{~~~....7.Z~'.".">M..Mi.&..v.~~~.....r..v~.h..r.~~..r>..r..v...v!:&.Z~~.M..~~~..F..F..~..?..?...B..F.[~..?..?...N..F.[..?..?...j...F..Y..g...g...&..F.[\|..?..?..W.F..~..W...ht..&8~~~.&9r}}..J...~.F..&....{!.}..}.j}.N}.B}.F&5p}}..J..J~.X..~!E...{~~~....7.j~'."."...vN~~~..:..r..v~.h..r.~~..r>..r..v...v!:&.Y~~.....F..F..~..?:.?&..B..F.[~..?:.*?&.\|.F..~..W:..?..&.~~~.&.r}}..J!@}.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.929169191733211
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HIRE SOA FOR DEC_2021.exe
File size:	253198
MD5:	d8af2363d5a46336733b6121c0b4cf0e
SHA1:	fcb0ee44436230d924b2550fc9935ee76f2498fe
SHA256:	2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
SHA512:	e34f724dc4a7837ff86ed5d5214e1ed22e5643bbd45f881066b05b4ae4766a6330a48db8e4ef8dcee9ca8bf5ace43d987a667f62ea086992d2ff1ee24875889d
SSDEEP:	6144:owKROwSVj01uIkVhb9ES64sucmuklkdjrxadrJfTu2taM:KOHVBVhbmqHGkopapJfTu2taM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007FBC3045E820h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007FBC3045E4D7h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007FBC3045E4C5h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007FBC3045BCECh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FBC3045DFB8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FBC3045BD45h
cmp cl, 00000020h
jne 00007FBC3045BCE8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FBC3045BCDCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x900	0xa00	False	0.409375	data	3.94693169534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-13:43:52.418301	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.418301	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.418301	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.615356	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49795	15.197.142.173	192.168.2.4
01/28/22-13:44:03.940446	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:03.940446	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:03.940446	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:19.805943	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49826	34.102.136.180	192.168.2.4
01/28/22-13:44:24.890101	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115
01/28/22-13:44:24.890101	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115
01/28/22-13:44:24.890101	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 13:43:26.571491003 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.588496923 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.589521885 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.589901924 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.606714010 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629261971 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629290104 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629317999 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629342079 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629359961 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629431963 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629489899 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629543066 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629570007 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629637003 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:36.835757017 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.862999916 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.863120079 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.863276958 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.890353918 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892522097 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892564058 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892697096 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.892810106 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.919744015 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:47.083198071 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.222182035 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.222388983 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.222440958 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.361347914 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363614082 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363637924 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363796949 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.363838911 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.503143072 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:52.399549007 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.418032885 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.418118000 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.418301105 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.436683893 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615355968 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615385056 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615587950 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.615655899 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.634027958 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:58.215841055 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.333755016 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.333899021 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.334042072 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.453200102 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453345060 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453385115 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453522921 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.453612089 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453705072 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.467691898 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.585381985 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:44:03.659889936 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:03.940198898 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:03.940315962 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:03.940445900 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.448020935 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.557204962 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.729449987 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:04.838773012 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:04.838869095 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:05.036750078 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:05.036820889 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:05.317188025 CET	80	49800	154.212.212.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 13:43:26.540118933 CET	55854	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:26.565443993 CET	53	55854	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:36.675570011 CET	63153	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:36.697244883 CET	53	63153	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:41.922106028 CET	52991	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:41.950030088 CET	53	52991	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:46.968595982 CET	53700	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:47.081892014 CET	53	53700	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:52.373795033 CET	51726	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:52.398015976 CET	53	51726	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:58.174300909 CET	56794	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:58.214751005 CET	53	56794	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:03.486622095 CET	56621	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:03.658027887 CET	53	56621	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:09.469520092 CET	64078	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:09.585433960 CET	53	64078	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:14.590650082 CET	64801	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:14.619923115 CET	53	64801	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:19.639933109 CET	61721	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:19.670660019 CET	53	61721	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:24.810468912 CET	51255	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:24.871097088 CET	53	51255	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 13:43:26.540118933 CET	192.168.2.4	8.8.8.8	0xc41e	Standard query (0)	www.fjallravenz.online	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:36.675570011 CET	192.168.2.4	8.8.8.8	0x1b7	Standard query (0)	www.mmfirewood.net	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:41.922106028 CET	192.168.2.4	8.8.8.8	0x3846	Standard query (0)	www.estateglobal.info	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:46.968595982 CET	192.168.2.4	8.8.8.8	0xeb46	Standard query (0)	www.simonhaidomous.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.373795033 CET	192.168.2.4	8.8.8.8	0x43ba	Standard query (0)	www.spacebymeghan.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:58.174300909 CET	192.168.2.4	8.8.8.8	0x7245	Standard query (0)	www.akshayaasri.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:03.486622095 CET	192.168.2.4	8.8.8.8	0x17c3	Standard query (0)	www.morethanmummies.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:09.469520092 CET	192.168.2.4	8.8.8.8	0x8cf8	Standard query (0)	www.com-weekly.email	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:14.590650082 CET	192.168.2.4	8.8.8.8	0xb26e	Standard query (0)	www.cefseguranca-app.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:19.639933109 CET	192.168.2.4	8.8.8.8	0xd4c5	Standard query (0)	www.toraportal.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:24.810468912 CET	192.168.2.4	8.8.8.8	0xe94a	Standard query (0)	www.skworkforce.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 13:42:26.524518967 CET	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:26.565443993 CET	8.8.8.8	192.168.2.4	0xc41e	No error (0)	www.fjallravenz.online		104.21.86.185	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:26.565443993 CET	8.8.8.8	192.168.2.4	0xc41e	No error (0)	www.fjallravenz.online		172.67.223.184	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:36.697244883 CET	8.8.8.8	192.168.2.4	0x1b7	No error (0)	www.mmfirewood.net	mmfirewood.net		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:36.697244883 CET	8.8.8.8	192.168.2.4	0x1b7	No error (0)	mmfirewood.net		160.153.136.3	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:41.950030088 CET	8.8.8.8	192.168.2.4	0x3846	Name error (3)	www.estateglobal.info	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	www.simonhaidomous.com	comingsoon.namebright.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	comingsoon.namebright.com	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		52.6.230.169	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		52.0.85.145	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	www.spacebymeghan.com	spacebymeghan.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	spacebymeghan.com		15.197.142.173	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	spacebymeghan.com		3.33.152.147	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:58.214751005 CET	8.8.8.8	192.168.2.4	0x7245	No error (0)	www.akshayaasri.com	akshayaasri.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:58.214751005 CET	8.8.8.8	192.168.2.4	0x7245	No error (0)	akshayaasri.com		212.1.210.76	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:03.658027887 CET	8.8.8.8	192.168.2.4	0x17c3	No error (0)	www.morethanmummies.com		154.212.212.21	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:09.585433960 CET	8.8.8.8	192.168.2.4	0x8cf8	Server failure (2)	www.com-weekly.email	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:14.619923115 CET	8.8.8.8	192.168.2.4	0xb26e	Name error (3)	www.cefseguranca-app.com	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:19.670660019 CET	8.8.8.8	192.168.2.4	0xd4c5	No error (0)	www.toraportal.com	toraportal.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:44:19.670660019 CET	8.8.8.8	192.168.2.4	0xd4c5	No error (0)	toraportal.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:24.871097088 CET	8.8.8.8	192.168.2.4	0xe94a	No error (0)	www.skworkforce.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:44:24.871097088 CET	8.8.8.8	192.168.2.4	0xe94a	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.fjallravenz.online

www.mmfirewood.net

www.simonhaidomous.com

www.spacebymeghan.com

www.akshayaasri.com

www.morethanmummies.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49767	104.21.86.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:26.589901924 CET	1732	OUT	GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.fjallravenz.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:26.629261971 CET	1733	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 12:43:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cH2e6Df%2BIN%2BD3HIfng%2BVXFJrXJ5sXtwrqG6sujAnrFxhvT1Yq8%2Fdsu5K36a8s3PvbnO0g7bpap3DF476kMnjAtFUA%2Bo1ZOGDVbHr2VmeZzabOlgEjgfqcpjFaErmm6llalP4ASReqBov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6d4a4e733f4e916e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 31 32 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 Data Ascii: 112c<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49792	160.153.136.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:36.863276958 CET	9374	OUT	GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.mmfirewood.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:36.892522097 CET	9375	IN	HTTP/1.1 400 Bad Request Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49794	52.6.230.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:47.222440958 CET	10150	OUT	GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.simonhaidomous.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:47.363614082 CET	10151	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 28 Jan 2022 12:43:47 GMT Content-Length: 0 Connection: close Location: https://www.houstoncc.com/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49795	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:52.418301105 CET	10152	OUT	GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.spacebymeghan.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:52.615355968 CET	10152	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Fri, 28 Jan 2022 12:43:52 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49796	212.1.210.76	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:58.334042072 CET	10153	OUT	GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.akshayaasri.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:58.453345060 CET	10154	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Fri, 28 Jan 2022 12:43:58 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49800	154.212.212.21	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:44:03.940445900 CET	10195	OUT	GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.morethanmummies.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:44:04.557204962 CET	10195	OUT	GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.morethanmummies.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	1
Start time:	13:42:08
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x400000
File size:	253198 bytes
MD5 hash:	D8AF2363D5A46336733B6121C0B4CF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: HIRE SOA FOR DEC_2021.exePID: 4744, Parent PID: 7124

General

Target ID:	3
Start time:	13:42:10
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x400000
File size:	253198 bytes
MD5 hash:	D8AF2363D5A46336733B6121C0B4CF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exePID: 3424, Parent PID: 4744

General

Target ID:	5
Start time:	13:42:15
Start date:	28/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: ipconfig.exePID: 5252, Parent PID: 3424

General

Target ID:	8
Start time:	13:42:37
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x280000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exePID: 5744, Parent PID: 5252

General

Target ID:	9
Start time:	13:42:43
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5736, Parent PID: 5744

General

Target ID:	10
Start time:	13:42:46
Start date:	28/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HIRE SOA FOR DEC_2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nmdcx8dorpuxth4

C:\Users\user\AppData\Local\Temp\nslEC78.tmp

C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

C:\Users\user\AppData\Local\Temp\yyyvokmb

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
HIRE SOA FOR DEC_2021.exe