Loading ...

Play interactive tourEdit tour

Analysis Report PO PI.exe

Overview

General Information

Sample Name:PO PI.exe
Analysis ID:254505
MD5:9a931b93992bd36af52ea345cef3af98
SHA1:dbe897227e9df2b0dc809068df011722d0bbf7a2
SHA256:8e9f882576a66be70ed5bc204584037087f3bd53d13498126153fb7514f7dd7a

Most interesting Screenshot:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO PI.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\PO PI.exe' MD5: 9A931B93992BD36AF52EA345CEF3AF98)
    • PO PI.exe (PID: 2016 cmdline: {path} MD5: 9A931B93992BD36AF52EA345CEF3AF98)
    • PO PI.exe (PID: 6176 cmdline: {path} MD5: 9A931B93992BD36AF52EA345CEF3AF98)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
      • msdt.exe (PID: 5560 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
        • cmd.exe (PID: 5556 cmdline: /c del 'C:\Users\user\Desktop\PO PI.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PO PI.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6c587:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.264928397.0000000000152000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6c387:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000011.00000002.513631311.000000000539F000.00000004.00000001.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6cdaf:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.239722921.00000000008B2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6c387:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.266492280.00000000008B2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6c387:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.0.PO PI.exe.f40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6c587:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    4.2.PO PI.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      4.2.PO PI.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      4.2.PO PI.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17629:$sqlite3step: 68 34 1C 7B E1
      • 0x1773c:$sqlite3step: 68 34 1C 7B E1
      • 0x17658:$sqlite3text: 68 38 2A 90 C5
      • 0x1777d:$sqlite3text: 68 38 2A 90 C5
      • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
      4.2.PO PI.exe.f40000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x6c587:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 7 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: PO PI.exeJoe Sandbox ML: detected
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
      Source: explorer.exe, 00000005.00000000.301204901.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301204901.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.308900706.000000000EAD1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
      Source: PO PI.exe, 00000000.00000003.242521843.0000000005B16000.00000004.00000001.sdmpString found in binary or memory: http://en.w
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301204901.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
      Source: explorer.exe, 00000005.00000000.301204901.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
      Source: explorer.exe, 00000005.00000000.301850378.000000000B1D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, PO PI.exe, 00000000.00000003.244519904.0000000005B17000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFOj
      Source: explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: PO PI.exe, 00000000.00000003.247858107.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: PO PI.exe, 00000000.00000003.247811910.0000000005B1C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: PO PI.exe, 00000000.00000003.247858107.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFOj
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comojj#
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
      Source: PO PI.exe, 00000000.00000003.253157227.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
      Source: PO PI.exe, 00000000.00000003.248161557.0000000005B1E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueTF
      Source: PO PI.exe, 00000000.00000003.253157227.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueta
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, PO PI.exe, 00000000.00000003.243942931.0000000005B17000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: PO PI.exe, 00000000.00000003.243942931.0000000005B17000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: PO PI.exe, 00000000.00000003.243942931.0000000005B17000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni-f
      Source: PO PI.exe, 00000000.00000003.243855023.0000000005B18000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmo0
      Source: PO PI.exe, 00000000.00000003.243942931.0000000005B17000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnqo
      Source: PO PI.exe, 00000000.00000003.243855023.0000000005B18000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnsof
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: PO PI.exe, 00000000.00000003.245043338.0000000005B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$j
      Source: PO PI.exe, 00000000.00000003.245043338.0000000005B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm=j
      Source: PO PI.exe, 00000000.00000003.245620604.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Qj
      Source: PO PI.exe, 00000000.00000003.245043338.0000000005B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: PO PI.exe, 00000000.00000003.245620604.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/jj#
      Source: PO PI.exe, 00000000.00000003.245620604.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sx
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
      Source: PO PI.exe, 00000000.00000003.242924934.0000000005B2B000.00000004.00000001.sdmp, PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: PO PI.exe, 00000000.00000003.242924934.0000000005B2B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com&
      Source: PO PI.exe, 00000000.00000003.242924934.0000000005B2B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
      Source: PO PI.exe, 00000000.00000003.242924934.0000000005B2B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
      Source: PO PI.exe, 00000000.00000003.242924934.0000000005B2B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte1
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
      Source: explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
      Source: PO PI.exe, 00000000.00000002.274801184.0000000006D22000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.301944609.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
      Source: explorer.exe, 00000005.00000000.301405953.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00419830 NtCreateFile,4_2_00419830
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_004198E0 NtReadFile,4_2_004198E0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00419960 NtClose,4_2_00419960
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00419A10 NtAllocateVirtualMemory,4_2_00419A10
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041982C NtCreateFile,4_2_0041982C
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041995A NtClose,4_2_0041995A
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041992A NtReadFile,4_2_0041992A
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00419A0A NtAllocateVirtualMemory,4_2_00419A0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_04ED9860
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9840 NtDelayExecution,LdrInitializeThunk,17_2_04ED9840
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED95D0 NtClose,LdrInitializeThunk,17_2_04ED95D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED99A0 NtCreateSection,LdrInitializeThunk,17_2_04ED99A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9540 NtReadFile,LdrInitializeThunk,17_2_04ED9540
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_04ED9910
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_04ED96E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED96D0 NtCreateKey,LdrInitializeThunk,17_2_04ED96D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_04ED9660
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9A50 NtCreateFile,LdrInitializeThunk,17_2_04ED9A50
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9650 NtQueryValueKey,LdrInitializeThunk,17_2_04ED9650
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9FE0 NtCreateMutant,LdrInitializeThunk,17_2_04ED9FE0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9780 NtMapViewOfSection,LdrInitializeThunk,17_2_04ED9780
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9710 NtQueryInformationToken,LdrInitializeThunk,17_2_04ED9710
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED98F0 NtReadVirtualMemory,17_2_04ED98F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED98A0 NtWriteVirtualMemory,17_2_04ED98A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EDB040 NtSuspendThread,17_2_04EDB040
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9820 NtEnumerateKey,17_2_04ED9820
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED95F0 NtQueryInformationFile,17_2_04ED95F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED99D0 NtCreateProcessEx,17_2_04ED99D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9560 NtWriteFile,17_2_04ED9560
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9950 NtQueueApcThread,17_2_04ED9950
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9520 NtWaitForSingleObject,17_2_04ED9520
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EDAD30 NtSetContextThread,17_2_04EDAD30
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9A80 NtOpenDirectoryObject,17_2_04ED9A80
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9670 NtQueryInformationProcess,17_2_04ED9670
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9A20 NtResumeThread,17_2_04ED9A20
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9A00 NtProtectVirtualMemory,17_2_04ED9A00
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9610 NtEnumerateValueKey,17_2_04ED9610
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9A10 NtQuerySection,17_2_04ED9A10
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED97A0 NtUnmapViewOfSection,17_2_04ED97A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EDA3B0 NtGetContextThread,17_2_04EDA3B0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9760 NtOpenProcess,17_2_04ED9760
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9770 NtSetInformationFile,17_2_04ED9770
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EDA770 NtOpenThread,17_2_04EDA770
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9730 NtQueryVirtualMemory,17_2_04ED9730
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED9B00 NtSetValueKey,17_2_04ED9B00
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EDA710 NtOpenProcessToken,17_2_04EDA710
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E39A10 NtAllocateVirtualMemory,17_2_02E39A10
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E398E0 NtReadFile,17_2_02E398E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E39830 NtCreateFile,17_2_02E39830
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E39960 NtClose,17_2_02E39960
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E39A0A NtAllocateVirtualMemory,17_2_02E39A0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3982C NtCreateFile,17_2_02E3982C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3995A NtClose,17_2_02E3995A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3992A NtReadFile,17_2_02E3992A
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_07632FD80_2_07632FD8
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_07630E400_2_07630E40
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_07631AF80_2_07631AF8
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076320880_2_07632088
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076316980_2_07631698
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_07633D600_2_07633D60
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076349280_2_07634928
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_07634FC80_2_07634FC8
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076351D00_2_076351D0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076354600_2_07635460
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_076356280_2_07635628
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_02AFC9E40_2_02AFC9E4
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_02AFEDA00_2_02AFEDA0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_02AFEDB00_2_02AFEDB0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_004010304_2_00401030
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041D16C4_2_0041D16C
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041CB5E4_2_0041CB5E
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041CCAB4_2_0041CCAB
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00402D904_2_00402D90
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041DE0A4_2_0041DE0A
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00409F5C4_2_00409F5C
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00409F604_2_00409F60
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041C7934_2_0041C793
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00402FB04_2_00402FB0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAB09017_2_04EAB090
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA841F17_2_04EA841F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F5100217_2_04F51002
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAD5E017_2_04EAD5E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F61D5517_2_04F61D55
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E90D2017_2_04E90D20
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB412017_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9F90017_2_04E9F900
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB6E3017_2_04EB6E30
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECEBB017_2_04ECEBB0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3D16C17_2_02E3D16C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3DE0A17_2_02E3DE0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E22FB017_2_02E22FB0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3C79317_2_02E3C793
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E29F6017_2_02E29F60
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E29F5C17_2_02E29F5C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E22D9017_2_02E22D90
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04E9B150 appears 32 times
      Source: PO PI.exeBinary or memory string: OriginalFilename vs PO PI.exe
      Source: PO PI.exe, 00000000.00000002.266585691.0000000000920000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBIqXb.exe< vs PO PI.exe
      Source: PO PI.exe, 00000000.00000002.268113871.0000000002C81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs PO PI.exe
      Source: PO PI.exe, 00000000.00000002.278214801.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs PO PI.exe
      Source: PO PI.exe, 00000003.00000000.264855619.00000000001C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBIqXb.exe< vs PO PI.exe
      Source: PO PI.exe, 00000004.00000002.354164946.0000000003A50000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs PO PI.exe
      Source: PO PI.exe, 00000004.00000002.352282225.0000000000FB0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBIqXb.exe< vs PO PI.exe
      Source: PO PI.exe, 00000004.00000002.352949766.0000000001A9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO PI.exe
      Source: PO PI.exeBinary or memory string: OriginalFilenameBIqXb.exe< vs PO PI.exe
      Source: PO PI.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000002.264928397.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000011.00000002.513631311.000000000539F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.239722921.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.266492280.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.352742055.0000000001930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000011.00000002.510438908.0000000002E20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.353301900.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000011.00000002.511099053.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.264797218.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000011.00000002.511188175.0000000003046000.00000004.00000020.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.352056497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.352122903.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.353852859.00000000036E7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000000.265548534.0000000000F42000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.268327940.0000000003D31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: PO PI.exe PID: 2016, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: msdt.exe PID: 5560, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: PO PI.exe PID: 6968, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: PO PI.exe PID: 6176, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.0.PO PI.exe.f40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 4.2.PO PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 4.2.PO PI.exe.f40000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.0.PO PI.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.2.PO PI.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.PO PI.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 4.2.PO PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.PO PI.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: PO PI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal96.troj.evad.winEXE@11/1@0/0
      Source: C:\Users\user\Desktop\PO PI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO PI.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_01
      Source: PO PI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO PI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO PI.exe 'C:\Users\user\Desktop\PO PI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\PO PI.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\PO PI.exe {path}
      Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO PI.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PO PI.exeProcess created: C:\Users\user\Desktop\PO PI.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess created: C:\Users\user\Desktop\PO PI.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exeJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO PI.exe'Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: PO PI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PO PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.309670477.000000000FA80000.00000002.00000001.sdmp
      Source: Binary string: msdt.pdbGCTL source: PO PI.exe, 00000004.00000002.354164946.0000000003A50000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: PO PI.exe, 00000004.00000002.352795846.0000000001980000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.511537570.0000000004E70000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: PO PI.exe, 00000004.00000002.352795846.0000000001980000.00000040.00000001.sdmp, msdt.exe
      Source: Binary string: msdt.pdb source: PO PI.exe, 00000004.00000002.354164946.0000000003A50000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.309670477.000000000FA80000.00000002.00000001.sdmp
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 0_2_008B7E8C push es; ret 0_2_008B80A0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 3_2_00157E8C push es; ret 3_2_001580A0
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_004171C5 push A69DEB74h; iretd 4_2_004171CA
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0040F263 push ebx; iretd 4_2_0040F266
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041DAB8 push dword ptr [868CC768h]; ret 4_2_0041DAD9
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_004092B9 push edi; retf 4_2_004092BD
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041C6F2 push eax; ret 4_2_0041C6F8
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041C6FB push eax; ret 4_2_0041C762
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041C6A5 push eax; ret 4_2_0041C6F8
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041B6B5 push es; ret 4_2_0041B667
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0041C75C push eax; ret 4_2_0041C762
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00F47E8C push es; ret 4_2_00F480A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EED0D1 push ecx; ret 17_2_04EED0E4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3DAB8 push dword ptr [868CC768h]; ret 17_2_02E3DAD9
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E292B9 push edi; retf 17_2_02E292BD
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E2F263 push ebx; iretd 17_2_02E2F266
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E371C5 push A69DEB74h; iretd 17_2_02E371CA
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3C6F2 push eax; ret 17_2_02E3C6F8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3C6FB push eax; ret 17_2_02E3C762
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3C6A5 push eax; ret 17_2_02E3C6F8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3B6B5 push es; ret 17_2_02E3B667
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3C75C push eax; ret 17_2_02E3C762
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_02E3CC36 push ecx; retf 17_2_02E3CC37
      Source: initial sampleStatic PE information: section name: .text entropy: 7.82909566993
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: PO PI.exe PID: 6968, type: MEMORY
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\PO PI.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\PO PI.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PO PI.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002E298B4 second address: 0000000002E298BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002E29B1E second address: 0000000002E29B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PO PI.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00409A50 rdtsc 4_2_00409A50
      Source: C:\Users\user\Desktop\PO PI.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\PO PI.exe TID: 6972Thread sleep time: -41000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exe TID: 6996Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: PO PI.exe, 00000000.00000003.263795809.0000000008CD5000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: explorer.exe, 00000005.00000000.297344062.0000000007989000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000005.00000000.309080998.000000000EBFA000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.299248989.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: PO PI.exe, 00000000.00000002.278768835.0000000008F1D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000005.00000000.297344062.0000000007989000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: PO PI.exe, 00000000.00000003.263795809.0000000008CD5000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-000.60678.3display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMware
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: explorer.exe, 00000005.00000000.297440876.0000000007A8F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: PO PI.exe, 00000000.00000002.278768835.0000000008F1D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000005.00000000.299248989.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: PO PI.exe, 00000000.00000002.278768835.0000000008F1D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: PO PI.exe, 00000000.00000002.278768835.0000000008F1D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: PO PI.exe, 00000000.00000003.263795809.0000000008CD5000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-000.60678.3display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMwareLaWy
      Source: explorer.exe, 00000005.00000000.297344062.0000000007989000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: PO PI.exe, 00000000.00000002.278768835.0000000008F1D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: explorer.exe, 00000005.00000000.288092004.00000000040E9000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.309080998.000000000EBFA000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C:HOME
      Source: PO PI.exe, 00000000.00000003.263795809.0000000008CD5000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-000.60678.3display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMwareLMEM
      Source: explorer.exe, 00000005.00000000.297344062.0000000007989000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
      Source: explorer.exe, 00000005.00000000.299248989.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: explorer.exe, 00000005.00000000.297344062.0000000007989000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: PO PI.exe, 00000000.00000002.278743714.0000000008F0F000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
      Source: explorer.exe, 00000005.00000000.299248989.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PO PI.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_00409A50 rdtsc 4_2_00409A50
      Source: C:\Users\user\Desktop\PO PI.exeCode function: 4_2_0040ADF0 LdrLoadDll,4_2_0040ADF0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16CF0 mov eax, dword ptr fs:[00000030h]17_2_04F16CF0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16CF0 mov eax, dword ptr fs:[00000030h]17_2_04F16CF0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16CF0 mov eax, dword ptr fs:[00000030h]17_2_04F16CF0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F514FB mov eax, dword ptr fs:[00000030h]17_2_04F514FB
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F68CD6 mov eax, dword ptr fs:[00000030h]17_2_04F68CD6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov eax, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov ecx, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov eax, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov eax, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov eax, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2B8D0 mov eax, dword ptr fs:[00000030h]17_2_04F2B8D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED90AF mov eax, dword ptr fs:[00000030h]17_2_04ED90AF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECF0BF mov ecx, dword ptr fs:[00000030h]17_2_04ECF0BF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECF0BF mov eax, dword ptr fs:[00000030h]17_2_04ECF0BF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECF0BF mov eax, dword ptr fs:[00000030h]17_2_04ECF0BF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E99080 mov eax, dword ptr fs:[00000030h]17_2_04E99080
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA849B mov eax, dword ptr fs:[00000030h]17_2_04EA849B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F13884 mov eax, dword ptr fs:[00000030h]17_2_04F13884
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F13884 mov eax, dword ptr fs:[00000030h]17_2_04F13884
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F61074 mov eax, dword ptr fs:[00000030h]17_2_04F61074
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F52073 mov eax, dword ptr fs:[00000030h]17_2_04F52073
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB746D mov eax, dword ptr fs:[00000030h]17_2_04EB746D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2C450 mov eax, dword ptr fs:[00000030h]17_2_04F2C450
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F2C450 mov eax, dword ptr fs:[00000030h]17_2_04F2C450
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECA44B mov eax, dword ptr fs:[00000030h]17_2_04ECA44B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB0050 mov eax, dword ptr fs:[00000030h]17_2_04EB0050
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB0050 mov eax, dword ptr fs:[00000030h]17_2_04EB0050
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAB02A mov eax, dword ptr fs:[00000030h]17_2_04EAB02A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAB02A mov eax, dword ptr fs:[00000030h]17_2_04EAB02A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAB02A mov eax, dword ptr fs:[00000030h]17_2_04EAB02A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAB02A mov eax, dword ptr fs:[00000030h]17_2_04EAB02A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECBC2C mov eax, dword ptr fs:[00000030h]17_2_04ECBC2C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F64015 mov eax, dword ptr fs:[00000030h]17_2_04F64015
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F64015 mov eax, dword ptr fs:[00000030h]17_2_04F64015
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F17016 mov eax, dword ptr fs:[00000030h]17_2_04F17016
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F17016 mov eax, dword ptr fs:[00000030h]17_2_04F17016
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F17016 mov eax, dword ptr fs:[00000030h]17_2_04F17016
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F51C06 mov eax, dword ptr fs:[00000030h]17_2_04F51C06
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F6740D mov eax, dword ptr fs:[00000030h]17_2_04F6740D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F6740D mov eax, dword ptr fs:[00000030h]17_2_04F6740D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F6740D mov eax, dword ptr fs:[00000030h]17_2_04F6740D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16C0A mov eax, dword ptr fs:[00000030h]17_2_04F16C0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16C0A mov eax, dword ptr fs:[00000030h]17_2_04F16C0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16C0A mov eax, dword ptr fs:[00000030h]17_2_04F16C0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F16C0A mov eax, dword ptr fs:[00000030h]17_2_04F16C0A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F48DF1 mov eax, dword ptr fs:[00000030h]17_2_04F48DF1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9B1E1 mov eax, dword ptr fs:[00000030h]17_2_04E9B1E1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9B1E1 mov eax, dword ptr fs:[00000030h]17_2_04E9B1E1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9B1E1 mov eax, dword ptr fs:[00000030h]17_2_04E9B1E1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAD5E0 mov eax, dword ptr fs:[00000030h]17_2_04EAD5E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EAD5E0 mov eax, dword ptr fs:[00000030h]17_2_04EAD5E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F241E8 mov eax, dword ptr fs:[00000030h]17_2_04F241E8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC61A0 mov eax, dword ptr fs:[00000030h]17_2_04EC61A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC61A0 mov eax, dword ptr fs:[00000030h]17_2_04EC61A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC35A1 mov eax, dword ptr fs:[00000030h]17_2_04EC35A1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F169A6 mov eax, dword ptr fs:[00000030h]17_2_04F169A6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC1DB5 mov eax, dword ptr fs:[00000030h]17_2_04EC1DB5
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC1DB5 mov eax, dword ptr fs:[00000030h]17_2_04EC1DB5
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC1DB5 mov eax, dword ptr fs:[00000030h]17_2_04EC1DB5
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E92D8A mov eax, dword ptr fs:[00000030h]17_2_04E92D8A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E92D8A mov eax, dword ptr fs:[00000030h]17_2_04E92D8A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E92D8A mov eax, dword ptr fs:[00000030h]17_2_04E92D8A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E92D8A mov eax, dword ptr fs:[00000030h]17_2_04E92D8A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E92D8A mov eax, dword ptr fs:[00000030h]17_2_04E92D8A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECA185 mov eax, dword ptr fs:[00000030h]17_2_04ECA185
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EBC182 mov eax, dword ptr fs:[00000030h]17_2_04EBC182
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECFD9B mov eax, dword ptr fs:[00000030h]17_2_04ECFD9B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ECFD9B mov eax, dword ptr fs:[00000030h]17_2_04ECFD9B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9C962 mov eax, dword ptr fs:[00000030h]17_2_04E9C962
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9B171 mov eax, dword ptr fs:[00000030h]17_2_04E9B171
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9B171 mov eax, dword ptr fs:[00000030h]17_2_04E9B171
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EBC577 mov eax, dword ptr fs:[00000030h]17_2_04EBC577
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EBC577 mov eax, dword ptr fs:[00000030h]17_2_04EBC577
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04ED3D43 mov eax, dword ptr fs:[00000030h]17_2_04ED3D43
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EBB944 mov eax, dword ptr fs:[00000030h]17_2_04EBB944
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EBB944 mov eax, dword ptr fs:[00000030h]17_2_04EBB944
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F13540 mov eax, dword ptr fs:[00000030h]17_2_04F13540
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB7D50 mov eax, dword ptr fs:[00000030h]17_2_04EB7D50
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F68D34 mov eax, dword ptr fs:[00000030h]17_2_04F68D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04F1A537 mov eax, dword ptr fs:[00000030h]17_2_04F1A537
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB4120 mov eax, dword ptr fs:[00000030h]17_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB4120 mov eax, dword ptr fs:[00000030h]17_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB4120 mov eax, dword ptr fs:[00000030h]17_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB4120 mov eax, dword ptr fs:[00000030h]17_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EB4120 mov ecx, dword ptr fs:[00000030h]17_2_04EB4120
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC513A mov eax, dword ptr fs:[00000030h]17_2_04EC513A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC513A mov eax, dword ptr fs:[00000030h]17_2_04EC513A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC4D3B mov eax, dword ptr fs:[00000030h]17_2_04EC4D3B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC4D3B mov eax, dword ptr fs:[00000030h]17_2_04EC4D3B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EC4D3B mov eax, dword ptr fs:[00000030h]17_2_04EC4D3B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04E9AD30 mov eax, dword ptr fs:[00000030h]17_2_04E9AD30
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword ptr fs:[00000030h]17_2_04EA3D34
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_04EA3D34 mov eax, dword pt