Edit tour

Windows Analysis Report
https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial

Overview

General Information

Sample URL:https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial
Analysis ID:1641273
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2004,i,1199099014176019056,3153161653523586635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 7164 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • rundll32.exe (PID: 6760 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • order-10093162025.exe (PID: 2972 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" MD5: 5DED0E5198AEBD3999AEC1B003269F88)
    • svchost.exe (PID: 2272 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 4100 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • netbtugc.exe (PID: 6292 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • firefox.exe (PID: 788 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
SourceRuleDescriptionAuthorStrings
0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ce63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe, ParentProcessId: 2972, ParentProcessName: order-10093162025.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , ProcessId: 2272, ProcessName: svchost.exe
      Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe, ParentProcessId: 2972, ParentProcessName: order-10093162025.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe" , ProcessId: 2272, ProcessName: svchost.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-18T07:02:51.303414+010020507451Malware Command and Control Activity Detected192.168.2.164973685.159.66.9380TCP
      2025-03-18T07:03:59.912274+010020507451Malware Command and Control Activity Detected192.168.2.164972635.154.214.24780TCP
      2025-03-18T07:04:23.286254+010020507451Malware Command and Control Activity Detected192.168.2.1649733116.50.37.24480TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: http://www.goldenjade-travel.com/fo8o/?MyZQH=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwzYvpB4shIU1cq+9C58fNEkaJsDwVQ==&Apw=IM74M1BeLAvira URL Cloud: Label: malware
      Source: Yara matchFile source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: unknownHTTPS traffic detected: 23.38.98.220:443 -> 192.168.2.16:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 68.65.122.152:443 -> 192.168.2.16:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.68:443 -> 192.168.2.16:49710 version: TLS 1.2
      Source: chrome.exeMemory has grown: Private usage: 8MB later: 37MB

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.16:49726 -> 35.154.214.247:80
      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.16:49733 -> 116.50.37.244:80
      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.16:49736 -> 85.159.66.93:80
      Source: C:\Windows\explorer.exeNetwork Connect: 116.50.37.244 80
      Source: C:\Windows\explorer.exeNetwork Connect: 35.154.214.247 80
      Source: C:\Windows\explorer.exeNetwork Connect: 85.159.66.93 80
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
      Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
      Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.71
      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.71
      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial HTTP/1.1Host: infra.economictimes.indiatimes.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /mial HTTP/1.1Host: ssl.waytrust.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /mial/ HTTP/1.1Host: ssl.waytrust.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /fo8o/?MyZQH=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzbWnYei5KJkZjHO4n69vp13ssgZ/8Q==&Apw=IM74M1BeL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
      Source: global trafficHTTP traffic detected: GET /fo8o/?MyZQH=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwzYvpB4shIU1cq+9C58fNEkaJsDwVQ==&Apw=IM74M1BeL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
      Source: global trafficHTTP traffic detected: GET /fo8o/?MyZQH=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMF0ufsdnpLgmRSSw2BgpeQ8wWssTEQ==&Apw=IM74M1BeL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
      Source: global trafficDNS traffic detected: DNS query: infra.economictimes.indiatimes.com
      Source: global trafficDNS traffic detected: DNS query: ssl.waytrust.online
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
      Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
      Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
      Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
      Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
      Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 194Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 4d 79 5a 51 48 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 34 6d 79 69 71 4a 38 36 6c 7a 63 5a 6b 62 71 42 58 35 6a 65 6e 62 56 47 42 5a 47 Data Ascii: MyZQH=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO4myiqJ86lzcZkbqBX5jenbVGBZG
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 18 Mar 2025 06:04:17 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 18 Mar 2025 06:04:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 18 Mar 2025 06:04:22 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49673
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownHTTPS traffic detected: 23.38.98.220:443 -> 192.168.2.16:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 68.65.122.152:443 -> 192.168.2.16:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.68:443 -> 192.168.2.16:49710 version: TLS 1.2

      E-Banking Fraud

      barindex
      Source: Yara matchFile source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6224_294174431
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6224_294174431
      Source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: classification engineClassification label: mal100.troj.spyw.evad.win@31/4@11/143
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\95e5529a-6b87-4b74-beb4-b9cb6195cfb7.tmp
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeFile created: C:\Users\user\AppData\Local\Temp\autA32.tmp
      Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2004,i,1199099014176019056,3153161653523586635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial"
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2004,i,1199099014176019056,3153161653523586635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe"
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: wsock32.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: winmm.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: ntmarta.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dll
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dll
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeAPI/Special instruction interceptor: Address: 10100F4
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148AD324
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148B0774
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148B0154
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148AD8A4
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148ADA44
      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8148AD1E4
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD324
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148B0774
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD944
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD504
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD544
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD1E4
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148B0154
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD8A4
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148ADA44
      Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8148AD7E4
      Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9843
      Source: C:\Windows\SysWOW64\svchost.exe TID: 2240Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7060Thread sleep time: -48000s >= -30000s
      Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7060Thread sleep count: 9843 > 30
      Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7060Thread sleep time: -19686000s >= -30000s
      Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformation
      Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPort

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\explorer.exeNetwork Connect: 116.50.37.244 80
      Source: C:\Windows\explorer.exeNetwork Connect: 35.154.214.247 80
      Source: C:\Windows\explorer.exeNetwork Connect: 85.159.66.93 80
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
      Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
      Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4100
      Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 4100
      Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 788
      Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exe
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EEE008
      Source: C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe"
      Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
      Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 0000000E.00000002.1659735801.00000000085A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1564978419.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      511
      Process Injection
      11
      Masquerading
      1
      OS Credential Dumping
      11
      Security Software Discovery
      Remote Services1
      Email Collection
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      2
      Virtualization/Sandbox Evasion
      LSASS Memory2
      Virtualization/Sandbox Evasion
      Remote Desktop Protocol1
      Data from Local System
      3
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Extra Window Memory Injection
      511
      Process Injection
      Security Account Manager1
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared Drive4
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Rundll32
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture5
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading
      LSA Secrets1
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      File Deletion
      Cached Domain Credentials12
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Extra Window Memory Injection
      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial0%Avira URL Cloudsafe
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://ssl.waytrust.online/mial/0%Avira URL Cloudsafe
      https://ssl.waytrust.online/mial0%Avira URL Cloudsafe
      http://www.3xfootball.com/fo8o/?MyZQH=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzbWnYei5KJkZjHO4n69vp13ssgZ/8Q==&Apw=IM74M1BeL0%Avira URL Cloudsafe
      http://www.goldenjade-travel.com/fo8o/?MyZQH=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwzYvpB4shIU1cq+9C58fNEkaJsDwVQ==&Apw=IM74M1BeL100%Avira URL Cloudmalware
      http://www.magmadokum.com/fo8o/?MyZQH=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMF0ufsdnpLgmRSSw2BgpeQ8wWssTEQ==&Apw=IM74M1BeL0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      e112509.dscj.akamaiedge.net
      23.38.98.220
      truefalse
        unknown
        www.3xfootball.com
        35.154.214.247
        truefalse
          high
          ssl.waytrust.online
          68.65.122.152
          truefalse
            unknown
            www.google.com
            142.250.185.68
            truefalse
              high
              www.goldenjade-travel.com
              116.50.37.244
              truefalse
                high
                natroredirect.natrocdn.com
                85.159.66.93
                truefalse
                  high
                  www.magmadokum.com
                  unknown
                  unknownfalse
                    high
                    infra.economictimes.indiatimes.com
                    unknown
                    unknowntrue
                      unknown
                      www.antonio-vivaldi.mobi
                      unknown
                      unknownfalse
                        high
                        www.kasegitai.tokyo
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          https://ssl.waytrust.online/mial/false
                          • Avira URL Cloud: safe
                          unknown
                          http://www.3xfootball.com/fo8o/?MyZQH=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzbWnYei5KJkZjHO4n69vp13ssgZ/8Q==&Apw=IM74M1BeLtrue
                          • Avira URL Cloud: safe
                          unknown
                          https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmialfalse
                            unknown
                            http://www.magmadokum.com/fo8o/?MyZQH=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMF0ufsdnpLgmRSSw2BgpeQ8wWssTEQ==&Apw=IM74M1BeLtrue
                            • Avira URL Cloud: safe
                            unknown
                            http://www.goldenjade-travel.com/fo8o/?MyZQH=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwzYvpB4shIU1cq+9C58fNEkaJsDwVQ==&Apw=IM74M1BeLtrue
                            • Avira URL Cloud: malware
                            unknown
                            http://www.goldenjade-travel.com/fo8o/false
                              high
                              https://ssl.waytrust.online/mialfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.magmadokum.com/fo8o/false
                                high
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                142.250.185.68
                                www.google.comUnited States
                                15169GOOGLEUSfalse
                                1.1.1.1
                                unknownAustralia
                                13335CLOUDFLARENETUSfalse
                                172.217.18.14
                                unknownUnited States
                                15169GOOGLEUSfalse
                                172.217.18.3
                                unknownUnited States
                                15169GOOGLEUSfalse
                                116.50.37.244
                                www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                35.154.214.247
                                www.3xfootball.comUnited States
                                16509AMAZON-02USfalse
                                85.159.66.93
                                natroredirect.natrocdn.comTurkey
                                34619CIZGITRfalse
                                216.58.206.46
                                unknownUnited States
                                15169GOOGLEUSfalse
                                142.251.168.84
                                unknownUnited States
                                15169GOOGLEUSfalse
                                142.250.181.227
                                unknownUnited States
                                15169GOOGLEUSfalse
                                23.38.98.220
                                e112509.dscj.akamaiedge.netUnited States
                                16625AKAMAI-ASUSfalse
                                142.250.186.110
                                unknownUnited States
                                15169GOOGLEUSfalse
                                216.58.212.163
                                unknownUnited States
                                15169GOOGLEUSfalse
                                68.65.122.152
                                ssl.waytrust.onlineUnited States
                                22612NAMECHEAP-NETUSfalse
                                IP
                                192.168.2.16
                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1641273
                                Start date and time:2025-03-18 07:02:17 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                Sample URL:https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • EGA enabled
                                Analysis Mode:stream
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.win@31/4@11/143
                                • Exclude process from analysis (whitelisted): svchost.exe
                                • Excluded IPs from analysis (whitelisted): 142.250.186.110, 172.217.18.3, 142.251.168.84, 216.58.206.46, 142.250.185.206, 142.250.186.142
                                • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: https://infra.economictimes.indiatimes.com/redirect.php?url=https%3A%2F%2Fssl.waytrust.online%2Fmial
                                Process:C:\Windows\SysWOW64\netbtugc.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                Category:dropped
                                Size (bytes):196608
                                Entropy (8bit):1.1216922126537057
                                Encrypted:false
                                SSDEEP:
                                MD5:7F784E8E9051D8E70834C231AE5CC670
                                SHA1:FA92DDE2E8DD8599EA458CC8488123CB60AD0DC1
                                SHA-256:1CEE1D9084D2C05B68B40073E4E6FE380128B61988409D60A9F5CBFD7AE964F6
                                SHA-512:A054A1E0F3289F4CCD25F01A81C0B3471A2CA8243E76ADD24D105A4141FBC534D20CE913A796474FB17754AB3B87C56679B8962FB860060B23F467601043EEA7
                                Malicious:false
                                Reputation:unknown
                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):270848
                                Entropy (8bit):7.994006904576061
                                Encrypted:true
                                SSDEEP:
                                MD5:3CE900B986A028D9AFD76F460177177D
                                SHA1:63A2DBA7746618F99674D24AB47B56460AD5F115
                                SHA-256:79AB5EFBB72A7E2F80B3B6B0690F9C2E878DD9ADCB5053FE82F9F278EAC61F04
                                SHA-512:987146DDA378D94C13BB78EDADC04ECAEFDEF7C67C406D851E558756EDA9C29841E59374C2C5807C3753B8B1052752AD61B81677CB31DB0B43658CE426B6C057
                                Malicious:false
                                Reputation:unknown
                                Preview:..w..6C3F..D.....LU...@;...CMQUO18YLV2OO6C3FDWCMQUO18YLV2.O6C=Y.YC.X.n.9..wf'&EcC4+01,<u,PV7#".-*.1F(d>-m....U6(3.BB<g3FDWCMQ,N8.d,1.r/Q..&#.Y...uQ_.V.sV$.\...q12.cQ:$kR(.6C3FDWCM..O1tXMV.'.iC3FDWCMQ.O39RM]2O_2C3FDWCMQU.$8YLF2OO.G3FD.CMAUO1:YLP2OO6C3FBWCMQUO18yHV2MO6C3FDUC..UO!8Y\V2OO&C3VDWCMQU_18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQ{;T@-LV2.@2C3VDWC]UUO!8YLV2OO6C3FDWCmQU/18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWC
                                Process:C:\Users\user\AppData\Local\Temp\Temp1_order-10093162025.zip\order-10093162025.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:
                                MD5:3CE900B986A028D9AFD76F460177177D
                                SHA1:63A2DBA7746618F99674D24AB47B56460AD5F115
                                SHA-256:79AB5EFBB72A7E2F80B3B6B0690F9C2E878DD9ADCB5053FE82F9F278EAC61F04
                                SHA-512:987146DDA378D94C13BB78EDADC04ECAEFDEF7C67C406D851E558756EDA9C29841E59374C2C5807C3753B8B1052752AD61B81677CB31DB0B43658CE426B6C057
                                Malicious:false
                                Reputation:unknown
                                Preview:..w..6C3F..D.....LU...@;...CMQUO18YLV2OO6C3FDWCMQUO18YLV2.O6C=Y.YC.X.n.9..wf'&EcC4+01,<u,PV7#".-*.1F(d>-m....U6(3.BB<g3FDWCMQ,N8.d,1.r/Q..&#.Y...uQ_.V.sV$.\...q12.cQ:$kR(.6C3FDWCM..O1tXMV.'.iC3FDWCMQ.O39RM]2O_2C3FDWCMQU.$8YLF2OO.G3FD.CMAUO1:YLP2OO6C3FBWCMQUO18yHV2MO6C3FDUC..UO!8Y\V2OO&C3VDWCMQU_18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQ{;T@-LV2.@2C3VDWC]UUO!8YLV2OO6C3FDWCmQU/18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWCMQUO18YLV2OO6C3FDWC
                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):15775
                                Entropy (8bit):7.984182579199814
                                Encrypted:false
                                SSDEEP:
                                MD5:0B8BED4B61582CB6C0EB811D294EF729
                                SHA1:3E0F4E2645648C2266BA39F4DD9DBE3DA83536F9
                                SHA-256:3AFFF1E811545F640F158DD3BFF7807A3522F318D96A6D908C4D4CF426F13A40
                                SHA-512:3D88F28F1A855273FCD961F755998AC2EC4D24A9E5F009DA6EFE5AA294148FF970A897BEF6CC5D2592F531F8F9C898ADFC4CA33C5E459C66A4A8C8D77D389A8F
                                Malicious:false
                                Reputation:unknown
                                Preview:PK........I&qZ.............. .order-10093162025.exeUT...J..ga..gb..gux..............c.E.8.i.%@..h.B..A{.j%.....MZ.-)...M.1...a.P...&.e.x.............rmy9^..bA9E....H...u..3...^~........33.<..3.{.......SU.k......?......0n...........Z......V..p...=../....T..Iy....)..b..w...1G`LK~.XEu...o..[W..4.u..k.L...lma..[s.66s.Zvwlu......m.*.?.:.....I.^Q....~,./x..rl..cr.8._..M....h..n.n...q_.8n.`.....@.$....0.Y......e#.r.I...3......n._...\.V]i.....;...........17+.\?..O...C|`......Z.p...eR`4wT..O....o1....W...v3..q.f..P.[.....\....*.4.+..[..Q...W......q.......q...}......oONV>Gw......!.....p.[....+..3.h...!.!...2...t.2{Y0.^...h...!c.f.b.ET...Tc.!...T....L>..........o4..wA......*....Z..:.|.fT..=......@...{..=r..b...../...9.2...}..7............t.t..2..^......)...U($.....m.kL.;Av'....m.&..zdw:.l....3dw.l....P./..Ke.2..~.....~..y_=\....k....o......u....PXj3Ag.MOB.ji.6.KU.W.5.M^....dW.].k.....~......Y.z..[..X.Vv}.]...[.]..k;...+i-k]...:.....8.
                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:
                                MD5:17D64769EDBA3352BE40625D7D16C3C6
                                SHA1:3AAC37A5588DBF517AA14F3976CE51AB40566F79
                                SHA-256:1D1813B27AC7763022F29D25E0B64627EB417CACFCDC8919B041985D75CA8A0C
                                SHA-512:1BF33EF8EC256838DC0AAE4A7DCAA5F0F1DB536F702AE4C3321BFA049AE8A086194BF18080E369E288B86FC4FF45DD04564A08C5D685CBE5C6BA310B6003CB51
                                Malicious:false
                                Reputation:unknown
                                Preview:PK........I&qZ.............. .order-10093162025.exeUT...J..ga..gb..gux..............c.E.8.i.%@..h.B..A{.j%.....MZ.-)...M.1...a.P...&.e.x.............rmy9^..bA9E....H...u..3...^~........33.<..3.{.......SU.k......?......0n...........Z......V..p...=../....T..Iy....)..b..w...1G`LK~.XEu...o..[W..4.u..k.L...lma..[s.66s.Zvwlu......m.*.?.:.....I.^Q....~,./x..rl..cr.8._..M....h..n.n...q_.8n.`.....@.$....0.Y......e#.r.I...3......n._...\.V]i.....;...........17+.\?..O...C|`......Z.p...eR`4wT..O....o1....W...v3..q.f..P.[.....\....*.4.+..[..Q...W......q.......q...}......oONV>Gw......!.....p.[....+..3.h...!.!...2...t.2{Y0.^...h...!c.f.b.ET...Tc.!...T....L>..........o4..wA......*....Z..:.|.fT..=......@...{..=r..b...../...9.2...}..7............t.t..2..^......)...U($.....m.kL.;Av'....m.&..zdw:.l....3dw.l....P./..Ke.2..~.....~..y_=\....k....o......u....PXj3Ag.MOB.ji.6.KU.W.5.M^....dW.].k.....~......Y.z..[..X.Vv}.]...[.]..k;...+i-k]...:.....8.
                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):747975
                                Entropy (8bit):7.9992661502783475
                                Encrypted:true
                                SSDEEP:
                                MD5:17D64769EDBA3352BE40625D7D16C3C6
                                SHA1:3AAC37A5588DBF517AA14F3976CE51AB40566F79
                                SHA-256:1D1813B27AC7763022F29D25E0B64627EB417CACFCDC8919B041985D75CA8A0C
                                SHA-512:1BF33EF8EC256838DC0AAE4A7DCAA5F0F1DB536F702AE4C3321BFA049AE8A086194BF18080E369E288B86FC4FF45DD04564A08C5D685CBE5C6BA310B6003CB51
                                Malicious:false
                                Reputation:unknown
                                Preview:PK........I&qZ.............. .order-10093162025.exeUT...J..ga..gb..gux..............c.E.8.i.%@..h.B..A{.j%.....MZ.-)...M.1...a.P...&.e.x.............rmy9^..bA9E....H...u..3...^~........33.<..3.{.......SU.k......?......0n...........Z......V..p...=../....T..Iy....)..b..w...1G`LK~.XEu...o..[W..4.u..k.L...lma..[s.66s.Zvwlu......m.*.?.:.....I.^Q....~,./x..rl..cr.8._..M....h..n.n...q_.8n.`.....@.$....0.Y......e#.r.I...3......n._...\.V]i.....;...........17+.\?..O...C|`......Z.p...eR`4wT..O....o1....W...v3..q.f..P.[.....\....*.4.+..[..Q...W......q.......q...}......oONV>Gw......!.....p.[....+..3.h...!.!...2...t.2{Y0.^...h...!c.f.b.ET...Tc.!...T....L>..........o4..wA......*....Z..:.|.fT..=......@...{..=r..b...../...9.2...}..7............t.t..2..^......)...U($.....m.kL.;Av'....m.&..zdw:.l....3dw.l....P./..Ke.2..~.....~..y_=\....k....o......u....PXj3Ag.MOB.ji.6.KU.W.5.M^....dW.].k.....~......Y.z..[..X.Vv}.]...[.]..k;...+i-k]...:.....8.
                                No static file info