Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ltylqhqpele080

Overview

General Information

Sample Name:ltylqhqpele080 (renamed file extension from none to exe)
Analysis ID:533021
MD5:45ee102bc8dcea993313fbcf1ff617f8
SHA1:7c2d4af342bec7d137df5ee7bb7048b3db22b692
SHA256:ecab5de023d8473783a6824f69b59a1bfd7f1223792a96babfb997a292e7d789
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ltylqhqpele080.exe (PID: 2208 cmdline: "C:\Users\user\Desktop\ltylqhqpele080.exe" MD5: 45EE102BC8DCEA993313FBCF1FF617F8)
    • ltylqhqpele080.exe (PID: 6932 cmdline: C:\Users\user\Desktop\ltylqhqpele080.exe MD5: 45EE102BC8DCEA993313FBCF1FF617F8)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 5296 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 5584 cmdline: /c del "C:\Users\user\Desktop\ltylqhqpele080.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5884 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.kjtaxpro.com/r0bh/"], "decoy": ["karo-tasty.com", "canlioyuncuyuz.online", "app-demo.xyz", "fountainspringscapemay.com", "completefuid.com", "sideroyalpalacehotel.website", "tollesonhouses.com", "zjef.top", "fuckingmom89.xyz", "toituresante.com", "arabatas.com", "trans-mall.com", "davidruperezdorao.com", "cspro-lb.com", "xiluoxtmcwj.com", "medicinaoralbarcelona.com", "rayganesh.com", "bakosaoje.xyz", "8nst.com", "nigeriasecurityexpo.com", "geradsss.com", "nsureagent.com", "luxerlegends.com", "usedhondacar.com", "39mpt.xyz", "pellecorentin.com", "suddennnnnnnnnnnn37.xyz", "feierabendshop.com", "latest-football.pro", "mayyaramedical.com", "astrielle.com", "icobrothers.media", "946aaw.net", "resourcesassitance.com", "divinebaking.online", "allmanac.info", "mushukids.com", "trendytechtreats.com", "clubfohl.com", "ttportalbham2.com", "productzon.net", "ambosholmzoril.com", "luosenhuagong.com", "zhbhhj.com", "eclox-btp.com", "oldstjoe.com", "longshengfz.com", "sarasotaexterminator.com", "getjoyce.net", "game-band.com", "5gongvo.xyz", "gcioral.xyz", "missuser.info", "invertirenstartup.com", "018seo.com", "angeleyesevents.com", "heritzlab.com", "eleditorplatense.com", "ectax.online", "ngaviations.com", "spiveyvillage.online", "heartfeltgiftery.com", "resortonannamariais.land", "crktinc.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
      • 0x16af8:$sqlite3text: 68 38 2A 90 C5
      • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
      • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
      00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.0.ltylqhqpele080.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.ltylqhqpele080.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.0.ltylqhqpele080.exe.400000.6.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
          • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
          • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
          4.0.ltylqhqpele080.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.0.ltylqhqpele080.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 24 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.kjtaxpro.com/r0bh/"], "decoy": ["karo-tasty.com", "canlioyuncuyuz.online", "app-demo.xyz", "fountainspringscapemay.com", "completefuid.com", "sideroyalpalacehotel.website", "tollesonhouses.com", "zjef.top", "fuckingmom89.xyz", "toituresante.com", "arabatas.com", "trans-mall.com", "davidruperezdorao.com", "cspro-lb.com", "xiluoxtmcwj.com", "medicinaoralbarcelona.com", "rayganesh.com", "bakosaoje.xyz", "8nst.com", "nigeriasecurityexpo.com", "geradsss.com", "nsureagent.com", "luxerlegends.com", "usedhondacar.com", "39mpt.xyz", "pellecorentin.com", "suddennnnnnnnnnnn37.xyz", "feierabendshop.com", "latest-football.pro", "mayyaramedical.com", "astrielle.com", "icobrothers.media", "946aaw.net", "resourcesassitance.com", "divinebaking.online", "allmanac.info", "mushukids.com", "trendytechtreats.com", "clubfohl.com", "ttportalbham2.com", "productzon.net", "ambosholmzoril.com", "luosenhuagong.com", "zhbhhj.com", "eclox-btp.com", "oldstjoe.com", "longshengfz.com", "sarasotaexterminator.com", "getjoyce.net", "game-band.com", "5gongvo.xyz", "gcioral.xyz", "missuser.info", "invertirenstartup.com", "018seo.com", "angeleyesevents.com", "heritzlab.com", "eleditorplatense.com", "ectax.online", "ngaviations.com", "spiveyvillage.online", "heartfeltgiftery.com", "resortonannamariais.land", "crktinc.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ltylqhqpele080.exeVirustotal: Detection: 35%Perma Link
            Source: ltylqhqpele080.exeReversingLabs: Detection: 70%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY
            Source: 4.0.ltylqhqpele080.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.ltylqhqpele080.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.ltylqhqpele080.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.ltylqhqpele080.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: ltylqhqpele080.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: ltylqhqpele080.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wscript.pdbGCTL source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: ltylqhqpele080.exe, ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
            Source: Binary string: wscript.pdb source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4x nop then pop esi
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4x nop then pop ebx
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop ebx
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.kjtaxpro.com/r0bh/
            Source: explorer.exe, 00000014.00000003.858985956.0000000005B82000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.854322656.0000000005B9F000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853322407.0000000005BA3000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.885459379.0000000005B82000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000014.00000003.855454668.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.859217350.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854275861.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853620009.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854749305.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853677185.0000000005C61000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853526769.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853189065.0000000005C55000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.co
            Source: explorer.exe, 00000014.00000003.885877595.0000000005BFE000.00000004.00000001.sdmpString found in binary or memory: http://schrosoft.com/win/2004/08/events/event
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: www.productzon.net
            Source: ltylqhqpele080.exe, 00000000.00000002.670129647.0000000000CE0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: ltylqhqpele080.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_00EEE074
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04E56668
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04E567C8
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04E50508
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04E567B9
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04E58870
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAA948
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAB080
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAC448
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAC1C1
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAC110
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_00562050
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00401030
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041C8DA
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041C083
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041B8B3
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041C123
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041C1E0
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041D208
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041C3AC
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00408C6E
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00408C70
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041BD78
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00402D90
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041BE6C
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00402FB0
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196F900
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197B090
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A320A8
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A328EC
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3E824
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21002
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A830
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198EB9A
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199138B
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199EBB0
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199ABD8
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A123E3
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2DBD2
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A203DA
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A32B28
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AB40
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A0CB4F
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A322AE
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1FA2B
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992581
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197D5E0
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A325DD
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A32D07
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01960D20
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A31D55
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197841F
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2D466
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A31FF1
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3DFCE
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A32EF7
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01986E30
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2D616
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00F32050
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D841F
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0488D466
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048925DD
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047C0D20
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04892D07
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047DD5E0
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04891D55
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F2581
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047E6E30
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04892EF7
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0488D616
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0489DFCE
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04891FF1
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048920A8
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EA830
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048928EC
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881002
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0489E824
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F20A0
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047DB090
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047E4120
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047CF900
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047E99BF
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048922AE
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB236
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884AEF
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0487FA2B
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EAB40
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048803DA
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0488DBD2
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048723E3
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EA309
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04892B28
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FABD8
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0486CB4F
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FEBB0
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F138B
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02382FB0
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02388C70
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02388C6E
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02382D90
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: String function: 0196B150 appears 139 times
            Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 047CB150 appears 136 times
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004185D0 NtCreateFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00418680 NtReadFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00418700 NtClose,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041867A NtReadFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004186FC NtClose,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004187AB NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A95D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019AB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019AA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019AAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9560 NtWriteFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019AA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019AA770 NtOpenThread,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A96D0 NtCreateKey,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048095D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048096D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048096E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048099A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048095F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0480AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809560 NtWriteFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048097A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0480A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0480A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048098A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048098F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0480B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048099D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0480A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04809B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02398680 NtReadFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02398700 NtClose,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023987B0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023985D0 NtCreateFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239867A NtReadFile,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023986FC NtClose,
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023987AB NtAllocateVirtualMemory,
            Source: ltylqhqpele080.exeBinary or memory string: OriginalFilename vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.670129647.0000000000CE0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.672813701.00000000073F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000000.00000002.672859745.0000000007610000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exeBinary or memory string: OriginalFilename vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000004.00000002.726882016.0000000001BEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exeBinary or memory string: OriginalFilenameCspKeyContainerIn.exe6 vs ltylqhqpele080.exe
            Source: ltylqhqpele080.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ltylqhqpele080.exeVirustotal: Detection: 35%
            Source: ltylqhqpele080.exeReversingLabs: Detection: 70%
            Source: ltylqhqpele080.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\ltylqhqpele080.exe "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ltylqhqpele080.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@1/0
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\explorer.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: ltylqhqpele080.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ltylqhqpele080.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: ltylqhqpele080.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wscript.pdbGCTL source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: ltylqhqpele080.exe, ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
            Source: Binary string: wscript.pdb source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: ltylqhqpele080.exe, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.ltylqhqpele080.exe.560000.0.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.ltylqhqpele080.exe.560000.0.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.3.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.5.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.2.ltylqhqpele080.exe.f30000.1.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.0.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.9.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.2.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.1.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.ltylqhqpele080.exe.f30000.7.unpack, BugVenture/TradingScreen.cs.Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_00566F01 push es; iretd
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_00566E2F push es; iretd
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EAC448 push esp; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EA423A push esp; retf
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 0_2_04EA4358 pushfd ; retf
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041B87C push eax; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041B812 push eax; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041B81B push eax; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041CD74 push dword ptr [0E9B1F9Dh]; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041CE24 push dword ptr [8E775501h]; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0041B7C5 push eax; ret
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00F36E2F push es; iretd
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00F36F01 push es; iretd
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019BD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0481D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239B81B push eax; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239B812 push eax; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239B87C push eax; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239CE24 push dword ptr [8E775501h]; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239B7C5 push eax; ret
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0239CD74 push dword ptr [0E9B1F9Dh]; ret
            Source: ltylqhqpele080.exeStatic PE information: 0xA2510432 [Mon Apr 17 17:34:42 2056 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.88898363134

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.28c564c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.28f1cc8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ltylqhqpele080.exe PID: 2208, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000002388604 second address: 000000000238860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000238898E second address: 0000000002388994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\ltylqhqpele080.exe TID: 1280Thread sleep time: -35612s >= -30000s
            Source: C:\Users\user\Desktop\ltylqhqpele080.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004088C0 rdtsc
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeThread delayed: delay time: 35612
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000014.00000000.854473585.0000000005C05000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000014.00000003.888902769.00000000102E6000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B2
            Source: explorer.exe, 00000014.00000003.876543204.000000001021A000.00000004.00000001.sdmpBinary or memory string: 6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000S
            Source: explorer.exe, 00000014.00000003.834277481.0000000003F17000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000006.00000000.705558543.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000014.00000000.853774785.0000000005ACD000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00Rom0o
            Source: explorer.exe, 00000006.00000000.700531325.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000006.00000000.692668305.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000006.00000000.705988911.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 00000014.00000003.850798839.0000000005AE8000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000N%\
            Source: explorer.exe, 00000014.00000003.850798839.0000000005AE8000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
            Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000014.00000003.850415833.0000000005AA6000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
            Source: explorer.exe, 00000014.00000003.853322407.0000000005BA3000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000014.00000000.877472550.000000001021F000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bre
            Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000014.00000003.850415833.0000000005AA6000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: explorer.exe, 00000006.00000000.677894895.000000000A897000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}FilesP11
            Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000014.00000003.853112569.0000000005BEC000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
            Source: explorer.exe, 00000014.00000000.877421020.000000001020E000.00000004.00000001.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}j
            Source: explorer.exe, 00000014.00000000.878698122.0000000010E60000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb0<4
            Source: explorer.exe, 00000014.00000003.853112569.0000000005BEC000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00&
            Source: explorer.exe, 00000014.00000000.878017612.00000000102E4000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53
            Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 00000014.00000000.878040545.00000000102E6000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
            Source: explorer.exe, 00000014.00000000.878770374.0000000010E6C000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
            Source: explorer.exe, 00000014.00000003.828472411.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:YU"M
            Source: explorer.exe, 00000014.00000003.888887792.00000000102E2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
            Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
            Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
            Source: explorer.exe, 00000006.00000000.680137543.000000000FD4E000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAd
            Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.689720858.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000014.00000000.853774785.0000000005ACD000.00000004.00000001.sdmpBinary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:Ga
            Source: explorer.exe, 00000014.00000003.828389918.0000000003F73000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
            Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
            Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
            Source: explorer.exe, 00000014.00000003.866004106.000000000FB37000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BSm
            Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000014.00000003.885027734.000000000FE1C000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9
            Source: explorer.exe, 00000014.00000000.852393959.0000000005A05000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_004088C0 rdtsc
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019899BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019F41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01984120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019658EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01980050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01980050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A31074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198EB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198EB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A35BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01971B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01971B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A123E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A123E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A123E3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01993B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01993B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01983A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01965210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01965210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01965210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01965210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01978A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019F4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01969240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01992581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019935A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A18DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019EA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01987D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A13D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A214FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01978794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01994710 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01993F33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A3070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01964F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01964F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019FFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019E46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019936CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019A8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A38ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019776E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_019916E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0199A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01998E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A1FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A21608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0196E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_01A2AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_0197766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047E746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04884496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047FBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04898CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048814FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0489740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0489740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0489740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0485C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0485C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047EC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048905AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_048905AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047E7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047CAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeCode function: 4_2_00409B30 LdrLoadDll,
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 110000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\System32\conhost.exe protection: read write
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeMemory written: C:\Users\user\Desktop\ltylqhqpele080.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 5884
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeProcess created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
            Source: explorer.exe, 00000006.00000000.699706643.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.671140171.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.687804076.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.703346932.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.844856375.0000000004820000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.846625096.00000000049F0000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.846625096.00000000049F0000.00000004.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000014.00000000.839673947.0000000000548000.00000004.00000020.sdmpBinary or memory string: CProgman
            Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmpBinary or memory string: [Program Manager
            Source: explorer.exe, 00000006.00000000.677167988.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.705703271.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.692668305.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: explorer.exe, 00000014.00000000.845391855.00000000048AD000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.825408061.00000000048AD000.00000004.00000001.sdmpBinary or memory string: Progmanp
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Users\user\Desktop\ltylqhqpele080.exe VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\ltylqhqpele080.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSVirtualization/Sandbox Evasion41Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533021 Sample: ltylqhqpele080 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 31 www.productzon.net 2->31 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 11 ltylqhqpele080.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\ltylqhqpele080.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 ltylqhqpele080.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 wscript.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 2 152 20->25         started        process12 process13 27 conhost.exe 23->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ltylqhqpele080.exe36%VirustotalBrowse
            ltylqhqpele080.exe70%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.0.ltylqhqpele080.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.2.ltylqhqpele080.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.ltylqhqpele080.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.ltylqhqpele080.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://schrosoft.com/win/2004/08/events/event0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://schemas.microsoft.co0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.productzon.net
            		217.116.0.191
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                        		high
                        http://www.tiro.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                          		high
                          http://www.goodfont.co.krltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fonts.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schrosoft.com/win/2004/08/events/eventexplorer.exe, 00000014.00000003.885877595.0000000005BFE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.microsoft.coexplorer.exe, 00000014.00000003.855454668.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.859217350.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854275861.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853620009.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854749305.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853677185.0000000005C61000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853526769.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853189065.0000000005C55000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:533021
                                  Start date:02.12.2021
                                  Start time:23:25:16
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:ltylqhqpele080 (renamed file extension from none to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:26
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@8/1@1/0
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 17.9% (good quality ratio 15.8%)
                                  • Quality average: 71.5%
                                  • Quality standard deviation: 32%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                  • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtCreateFile calls found.
                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                  • Report size getting too big, too many NtOpenFile calls found.
                                  • Report size getting too big, too many NtOpenKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  23:26:11API Interceptor1x Sleep call for process: ltylqhqpele080.exe modified
                                  23:27:26API Interceptor203x Sleep call for process: explorer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ltylqhqpele080.exe.log
                                  Process:C:\Users\user\Desktop\ltylqhqpele080.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.875247385950229
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:ltylqhqpele080.exe
                                  File size:386048
                                  MD5:45ee102bc8dcea993313fbcf1ff617f8
                                  SHA1:7c2d4af342bec7d137df5ee7bb7048b3db22b692
                                  SHA256:ecab5de023d8473783a6824f69b59a1bfd7f1223792a96babfb997a292e7d789
                                  SHA512:46797175745f86e63bdaa1bcb5208cf91b8edc5c4b7de73164b95c2931e0f619c5630f99a9bca12ca714d32c28aa287ccddb6029e38d2ca98012de6232386df9
                                  SSDEEP:6144:R1SL/CSH+eCEP8iFZhaYoeiAbgrHh5WAzSOyNg5VCSMBa56KJv1B5v16yaIpdEfZ:FSHzv7aMiAbwBgwVyS/CSMBa56Iv1l7c
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.Q...............0.................. ........@.. .......................@............@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x45f90a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0xA2510432 [Mon Apr 17 17:34:42 2056 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  or dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  push es
                                  add byte ptr [eax], al
                                  add byte ptr [esi], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5f8b80x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x5d4.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x5f89c0x1c.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x5d9200x5da00False0.921103137517data7.88898363134IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x600000x5d40x600False0.427734375data4.13824425453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x620000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x600900x344data
                                  RT_MANIFEST0x603e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2021
                                  Assembly Version1.0.0.0
                                  InternalNameCspKeyContainerIn.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNameBugVenture
                                  ProductVersion1.0.0.0
                                  FileDescriptionBugVenture
                                  OriginalFilenameCspKeyContainerIn.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  12/02/21-23:28:17.477950TCP2031453ET TROJAN FormBook CnC Checkin (GET)4988280192.168.2.4217.116.0.191
                                  12/02/21-23:28:17.477950TCP2031449ET TROJAN FormBook CnC Checkin (GET)4988280192.168.2.4217.116.0.191
                                  12/02/21-23:28:17.477950TCP2031412ET TROJAN FormBook CnC Checkin (GET)4988280192.168.2.4217.116.0.191

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 2, 2021 23:28:17.350223064 CET5679453192.168.2.48.8.8.8
                                  Dec 2, 2021 23:28:17.408628941 CET53567948.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Dec 2, 2021 23:28:17.350223064 CET192.168.2.48.8.8.80x245aStandard query (0)www.productzon.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Dec 2, 2021 23:28:17.408628941 CET8.8.8.8192.168.2.40x245aNo error (0)www.productzon.net217.116.0.191A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: ltylqhqpele080.exe PID: 2208 Parent PID: 3792

                                  General

                                  Start time:23:26:05
                                  Start date:02/12/2021
                                  Path:C:\Users\user\Desktop\ltylqhqpele080.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\ltylqhqpele080.exe"
                                  Imagebase:0x560000
                                  File size:386048 bytes
                                  MD5 hash:45EE102BC8DCEA993313FBCF1FF617F8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Analysis Process: ltylqhqpele080.exe PID: 6932 Parent PID: 2208

                                  General

                                  Start time:23:26:13
                                  Start date:02/12/2021
                                  Path:C:\Users\user\Desktop\ltylqhqpele080.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\ltylqhqpele080.exe
                                  Imagebase:0xf30000
                                  File size:386048 bytes
                                  MD5 hash:45EE102BC8DCEA993313FBCF1FF617F8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6932

                                  General

                                  Start time:23:26:15
                                  Start date:02/12/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Analysis Process: wscript.exe PID: 5296 Parent PID: 3424

                                  General

                                  Start time:23:26:35
                                  Start date:02/12/2021
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\wscript.exe
                                  Imagebase:0x110000
                                  File size:147456 bytes
                                  MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Analysis Process: cmd.exe PID: 5584 Parent PID: 5296

                                  General

                                  Start time:23:26:40
                                  Start date:02/12/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
                                  Imagebase:0x11d0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 6192 Parent PID: 5584

                                  General

                                  Start time:23:26:42
                                  Start date:02/12/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6eb840000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: explorer.exe PID: 5884 Parent PID: 4652

                                  General

                                  Start time:23:27:25
                                  Start date:02/12/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Disassembly

                                  Code Analysis

                                  Reset < >